How do I add an exception to a DNS Security Category domain in PAN-OS 10.0 or later?
28267
Created On 02/02/21 22:37 PM - Last Modified 09/27/24 05:29 AM
Question
How do I add an exception to a DNS Security Category domain in PAN-OS 10.0 or later?
Environment
- Palo Alto Networks Firewall
- Palo Alto Networks Panorama
- PAN-OS >= 10.0
Answer
NOTE If you do not agree with the current DNS Category, file a change request through https://urlfiltering.paloaltonetworks.com. The change in PAN-DB URL Filtering categorization will propagate the category change to the DNS Security database. If you do agree with the current DNS Category but you need to add an exception, then read as follows. |
DNS Security will detect various domains under the same Unique Threat ID (UTID). This means that adding an exception for the UTID would create an exception for the whole DNS Security Category, which is not something that is desired.
The UTID maps to a specific DNS detection mechanism used by DNS Security to classify domains. The UTID list can be found in the following article.
What are the Unique Threat ID's that map to the different DNS Security Categories?
To place an exception, use the FQDN instead of using the UTID, and configure it in the DNS Exceptions tab, under the DNS Domains/FQDN Allow List panel:
Here is the equivalent CLI configuration command: ("Anti-Spyware" is the name of the profile)
> configure
# set profiles spyware Anti-Spyware botnet-domains whitelist freedns.afraid.org description "afraid dns updates"
# commit
If subdomains also need to be excepted, create a wildcard entry. In our example that would be:
> configure
# set profiles spyware Anti-Spyware botnet-domains whitelist *.afraid.org description "except afraid.org and all subdomains"
# commit
In this example, the wildcard entry will match both afraid.org and all subdomains (no need to add two separate entries like you'd do with URL Filtering).Additional Information
- For placing DNS Security exceptions in earlier PAN-OS releases (9.0 and 9.1) please refer to the following article.
- If there is also a content based Threat ID, like in our example, you can double up by adding the Content based UTID. In our case UTID 58392213 also maps to freedns.afraid.org. This will make sure to except the domain if it is present in signatures delivered by Content packages.
Here is the equivalent CLI configuration command: ("Anti-Spyware" is the name of the profile)
On Next Generation Firewall:
> configure
# set profiles spyware Anti-Spyware botnet-domains threat-exception 58392213
# commit
On Panorama:
> configure
# set shared profiles spyware Anti-Spyware botnet-domains threat-exception 58392213
# commit