How to bypass DNS security

How to bypass DNS security

11409
Created On 03/28/22 01:04 AM - Last Modified 02/13/23 10:14 AM


Objective


Bypass DNS security logic

Environment


  • Palo Alto Firewalls
  • PANOS 10.0 and greater
  • DNS Security

Procedure


If you have DNS security enabled and you want to completely bypass the logic, you need to log in to the firewall,  select Objects > Security Profiles > Anti-Spyware profile > (name) and:
  1. Change all DNS Security categories under "DNS Policies" tab to "Allow" action
image.png
  1. Set the log severity to "None" for all DNS security categories.
image.png
  1. Have an empty allow list - Remove all DNS Domain/FQDN Allow List entries in the DNS Exceptions tab.
DNS exceptions tab
  1. "Commit" the configuration
  2. Once this is done, the DNS security logic will be completely skipped on DP(data plane). There will be no attempt to contact the cloud for the verdict, The device will act like DNS security does not exist at all.
 

Additional Information


How to Enable DNS Security

 


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NomCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language