DNS Security当云中缺少数据时的基本调试 AutoFocus
50933
Created On 02/24/21 23:01 PM - Last Modified 08/13/24 08:54 AM
Objective
本文列出了安全的基本验证和调试步骤 DNS- 。 如果您遇到 DNS- 安全问题,请一步一步地对问题进行解试。
在大多数情况下,它将帮助您识别和解决问题,如果问题仍未解决,请打开一个支持案例与帕洛阿尔托网络支持与此信息。
Environment
- 任何帕洛阿尔托 Firewall
- PAN-OS 9.x.x 和 10.x.
- DNS security 许可证
Procedure
以下是 DNS- 安全功能配置验证、许可证和云连接的基本调试步骤。 在此过程中,您可以自行识别问题,如果没有,请使用以下信息打开支持案例。
1. 检查许可证上的 Firewall
> request license info Note: The result should look like as follows. License entry: Feature: DNS Security Description: Palo Alto Networks DNS Security License Serial: xxxxxxxxxxxx Issued: January xx, 2021 Expires: January xx, 2024 Expired?: no Base license: PA-VM
2. AutoFocus 通过访问https://status.paloaltonetworks.com/
3 来检查状态。 检查连接信息
> show dns-proxy dns-signature info Note: The result should look as following: Cloud URL: dns.service.paloaltonetworks.com:443 Last Result: Good ( 46 sec ago ) Last Server Address: 130.211.8.196 Parameter Exchange: Interval 1800 sec Whitelist Refresh: Interval 86400 sec ( Due 71954 sec ) Request Waiting Transmission: 0 Request Pending Response: 0 Cache Size: 10000
4. 要 DNS- 启用和工作安全功能,dns 安全操作应为"沉井"、"警报"或"阻止"。 创建新的间谍软件配置文件时,默认操作由 PaloAlto 内容发布决定,请仔细检查操作。如果行动是"允许的", DNS security 将不起作用。
- 对于 PAN-OS 9.x.x添加"帕洛阿尔托网络 DNS Security "如下所示。
- 对于 PAN-OS 10.x.x,您应该根据安全提供的不同类别进行选择 DNS- 。
5. 检查 DNS- 代理计数器,因为它们在多行计数器中提供大量有用的信息, I 只保留了一些有趣的信息。
- 从这些行中,检查 API 要检查请求的"签名查询",并reques_error计数器。
- 这些计数器有三列,第一列是累积的,第二列是自上一期操作命令以来的三角洲,第三列是每秒三角洲。
- 通知的另一个计数器是延迟。 时间是毫秒(毫秒),包括最大,最小,avg,其次是数据桶分解。
>show dns-proxy dns-signature counters Signature query API: [request ] : 59 +7 +0 /sec [request_error ] : 0 +0 +0 /sec [initial_connection ] : 40 +6 +0 /sec [response ] : 59 +7 +0 /sec Note: Another counter to notices are latency. [latency ] : max 21 (ms) min 0(ms) avg 17(ms) 50 or less : 19 100 or less : 0 200 or less : 0 400 or less : 0 else : 0
6. 默认延迟值为 100ms。 如果您看到 DNS 请求已降至"200 或更少:0",您可以将"云-dns 超时"配置为以下。
# set deviceconfig setting ctd cloud-dns-timeout
<value> <0-60000> set cloud DNS signature query timeout in milliseconds7. 您可以 DNS- 通过以下命令检查缓存以查看代理。 此命令将列出所有缓存,并且可能是一个很长的列表。 只需选择一个,就可以减少这种情况。> show dns-proxy dns-signature cache ==> will bring all 10000 entries, please select one. Cache size: 10000 >show dns-proxy dns-signature cache fqdn < name for only one domain> >show dns-proxy dns-signature cache fqdn italic.com Domain Verdict GTID TTL Hits ---------------------------------------------------------------------------- *.italic.com White list 31388 0
8. 检查全球计数器,在请求前后检查全球计数器 DNS 。
admin@PA-VM> > show counter global | match ctd_dns
ctd_dns_req_lookup_action 1 0 info ctd pktproc DNS request signature lookup yield actions
ctd_dns_req_lookup_noaction 1151 0 info ctd pktproc DNS request signature lookup yield no actions
ctd_dns_req_lookup_miss 83 0 info ctd pktproc DNS request signature lookup not found
ctd_dns_wait_pkt_drop 87 0 drop ctd pktproc DNS packet drop when waiting
ctd_dns_sess_state_verify_failed 1 0 drop ctd pktproc DNS packet drop due to session state invalid
ctd_dns_malicious_reply 2 0 info ctd pktproc MP malicious response received
ctd_dns_benign_reply 72 0 info ctd pktproc MP benign response received
ctd_dns_failed_reply 10 0 info ctd pktproc MP failed response received
Note: only some lines are kept.9. 这是可以测试该命令的功能的重要调试命令之一, DNS Firewall 因为此命令将触发签名查找 Firewall MP 。
This will clear the clounters. >clear dns-proxy dns-signature counters Following command is an op command that emulate the dns query from managment plan and help to check the connectivity. > debug dnsproxyd dns-signature query bypass-cache yes fqdn test-malware.testpanw.come Debug dns-signature command successful. Note: In the next command you can see the counter are increased. Output has been modified to show only the relevant counters. > show dns-proxy dns-signature counters [response_send ] : 1 +0 +0 /sec [request_enqueue ] : 1 +0 +0 /sec [request_process ] : 1 +0 +0 /sec [request_batch ] : 1 +0 +0 /sec [response_batch ] : 1 +0 +0 /sec [response_complete ] : 1 +0 +0 /sec [cloud_query ] : 1 +0 +0 /sec Signature query API: [request ] : 1 +0 +0 /sec [response ] : 1 +0 +0 /sec [latency ] : max 12 (ms) min 0(ms) avg 12(ms) 50 or less : 1 100 or less : 0 200 or less : 0 400 or less : 0 else : 0
10. 现在选择位于该客户端后面的客户 firewall 端,并确保客户端流量正在点击 policy 已启用的间谍软件配置文件 DNS security 。 将 DNS 查找请求发送到恶意域并再次收集全球计数器。 如果计数器正在更改,则意味着将发送和接收请求。
From PAN CLI: clear the NGFW DNS : > clear dns-proxy dns-signature cache fqdn test-malware.testpanw.com From client: $ nslookup test-malware.testpanw.com ;; connection timed out; no servers could be reached ===> most of the time it may timeout $ nslookup test-dga.testpanw.com $ nslookup test-malware.testpanw.com From Firewall: > show counter global filter delta yes | match ctd_dns ctd_dns_req_lookup_action 1 0 info ctd pktproc DNS request signature lookup yield actions ctd_dns_req_lookup_miss 1 0 info ctd pktproc DNS request signature lookup not found ctd_dns_malicious_reply 1 0 info ctd pktproc MP malicious response received ctd_dns_wildcard_reply 1 0 info ctd pktproc MP wildcard response received ctd_dns_req_lookup_em 1 0 info ctd pktproc DNS cache lookup matched ctd_dns_request_mp 1 0 info ctd pktproc number of requests sent to MP ctd_dns_telemetry_req 2 0 info ctd pktproc number of telemetry requests sent to MP ctd_dns_pkt_denied 1 0 info ctd pktproc number of DNS pkt denied ctd_dns_action_block 2 0 info ctd pktproc DNS signature trigger block action ctd_dns_action_log 2 0 info ctd pktproc DNS signature trigger log action ctd_dns_action_pktlog 2 0 info ctd pktproc DNS signature trigger packet capture action11. 登录到您 AutoFocus 并检查 DNS Security 选项卡,如果 dns-sec 正常工作,您将能够看到您的 DNS 查询请求。
12. 请将所有这些信息附加到支持案例中。
Additional Information
如何配置 DNS security
"如何在 DGA 阻止 DGA 类别时仅为一个域添加例外"