Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How do I add an exception to a DNS Security Category domain in ... - Knowledge Base - Palo Alto Networks

How do I add an exception to a DNS Security Category domain in PAN-OS 10.0 or later?

28267
Created On 02/02/21 22:37 PM - Last Modified 09/27/24 05:29 AM


Question


How do I add an exception to a DNS Security Category domain in PAN-OS 10.0 or later?

Environment


  • Palo Alto Networks Firewall
  • Palo Alto Networks Panorama
  • PAN-OS >= 10.0


Answer


NOTE

If you do not agree with the current DNS Category, file a change request through https://urlfiltering.paloaltonetworks.com. The change in PAN-DB URL Filtering categorization will propagate the category change to the DNS Security database.

If you do agree with the current DNS Category but you need to add an exception, then read as follows.


DNS Security will detect various domains under the same Unique Threat ID (UTID). This means that adding an exception for the UTID would create an exception for the whole DNS Security Category, which is not something that is desired.

The UTID maps to a specific DNS detection mechanism used by DNS Security to classify domains. The UTID list can be found in the following article.
What are the Unique Threat ID's that map to the different DNS Security Categories?


To place an exception, use the FQDN instead of using the UTID, and configure it in the DNS Exceptions tab, under the DNS Domains/FQDN Allow List panel:
DNS Security FQDN Exception

Here is the equivalent CLI configuration command:  ("Anti-Spyware" is the name of the profile)

> configure
# set profiles spyware Anti-Spyware botnet-domains whitelist freedns.afraid.org description "afraid dns updates"
# commit
 

If subdomains also need to be excepted, create a wildcard entry. In our example that would be:

> configure
# set profiles spyware Anti-Spyware botnet-domains whitelist *.afraid.org description "except afraid.org and all subdomains"
# commit
 In this example, the wildcard entry will match both afraid.org and all subdomains (no need to add two separate entries like you'd do with URL Filtering).
 


Additional Information


  • If there is also a content based Threat ID, like in our example, you can double up by adding the Content based UTID. In our case UTID 58392213 also maps to freedns.afraid.org. This will make sure to except the domain if it is present in signatures delivered by Content packages.

Here is the equivalent CLI configuration command:  ("Anti-Spyware" is the name of the profile)
On Next Generation Firewall:
> configure
# set profiles spyware Anti-Spyware botnet-domains threat-exception 58392213
# commit

On Panorama:
> configure
# set shared profiles spyware Anti-Spyware botnet-domains threat-exception 58392213
# commit

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCjYCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language