How to detect Domain Fronting

How to detect Domain Fronting

16485
Created On 04/27/22 20:48 PM - Last Modified 03/05/25 19:18 PM


Objective


Domain Fronting is a TLS evasion technique that can circumvent URL filtering and facilitate data exfiltration. A malicious user with a crafted packet can indicate a fake FQDN in the SNI while surreptitiously connecting to a different website via the HTTP Host header.

Environment


  • PAN-OS >= 10.2.1

Procedure


  1. The TLS traffic must be successfully decrypted with SSL Decryption. Both SSL Inbound Inspection and SSL Forward Proxy decryption modes are supported.
  2. Enable TLS handshake inspection under [ Device > Setup > Session > Decryption Settings > SSL Decryption Settings > Send handshake messages to CTD for inspection ]
  3. Detection is carried out via Anti-Spyware signature with threat ID 86467. The default Severity and action for this is signature is "Informational" and "Allow" respectively. Therefore, to make use of it, you will need to implement a defined Threat Exception to change the default action of "Allow" according to your network needs.
  4. Enable a Threat Exception in the Anti-Spyware profile.

Additional Information


For additional information please see:

10.2.1 New Features: Domain Fronting Detection
Release Notes: Content Inspection Features
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNjsCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language