Prisma Access - Explicit proxy takes the action 'Sinkhole' even though another option is specified in the anti-spyware profile created by the customer

Prisma Access - Explicit proxy takes the action 'Sinkhole' even though another option is specified in the anti-spyware profile created by the customer

268
Created On 12/15/21 04:29 AM - Last Modified 10/27/25 16:48 PM


Symptom


The action "block" is selected for Command and Control Domains or Malware Domains under the DNS security setting in the anti-spyware profile.

spyware.png

However, they see the DNS traffic is processed as Sinkhole in Threat log.
Threat_log.png


In Remote Networks or Mobile Users, the same DNS query is processed by the action as specified in the anti-spyware profile.

Environment


  • Prisma Access
  • Explicit Proxy
  • DNS Security

Cause


  • Action for Malware and C2 categories is set to Sinkhole in Explicit Proxy.
  • Sinkhole is selected over Block action because we want to prevent retries from malicious scripts.

Resolution


This behavior is as designed and expected, and there is no workaround when using Explicit Proxy.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MZ2CAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail