Why is the Threat ID/Current Release For DNS Signature Showing up as 'n/a' for DNS Signatures in ThreatVault?
12171
Created On 04/25/19 15:18 PM - Last Modified 06/08/23 08:45 AM
Question
Why is the Threat ID/Current Release for DNS signature showing up as 'n/a' for DNS signatures?
Answer
This means that the DNS Signature associated with the Domain has been either disabled or replaced from the current Antivirus or WildFire Release. There is a fixed range for DNS Signatures and we ship the most relevant domains in the Signature List. Domains that do not meet the most relevant criteria (based on our Threat Intelligence) get replaced.
Even if the signature was replaced, the URL category of the domain still remains as Malware/C2/Phishing so that any http/https based communication to that domain gets blocked by the firewall.
Also, with the DNS Security Feature introduced in PAN-OS 9.0, the DNS name resolution for a malicious domain can get blocked/sink-holed because the firewall does the real-time lookup against the DNS Security cloud.
Reference:
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/enable-dns-security
Disabled/Replaced and Newly added Signatures in every release are listed in the Antivirus Release notes.
Additional Information
What is the meaning of "Current Release: n/a" on ThreatVault?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNA9CAM
How to Check DNS Security Lookup Cache from CLI
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boSACAY
https://www.paloaltonetworks.com/network-security/dns-security