Palo Alto : DNS Sinkhole

The Problem:

We have a infected user and that user is trying to reach out to a command and control server, the infected user does a DNS lookup and since this domain is not hosted locally the internal DNS will pass the request through the Firewall to the external DNS server , the logs wont give all the information we need.

We are going to intercept the DNS traffic between the Internal and External DNS server and respond with a DNS server of our own. Palo Alto send these DNS requests from the infected machines to , which is a Palo Alto assigned address, that will force the traffic to the Firewall to be blocked and logged appropriately.

You do need a Threat Prevention License.

The antivirus release notes will list all the domains that Palo Alto deem to be suspicious.

This is only needed for traffic going to the internet.

How to Configure DNS Sinkhole

Make sure the latest Anti-Virus updates are installed. Device > Dynamic Updates > Click “Check Now”

Configure DNS Sinkhole in the Security Profile Anti-Spyware . Objects > Anti-Spyware under Security Profiles.

Create a New Anti-Spyware Profile or Use an existing one.

Change Action to “sinkhole”

Set Sinkhole IPv4 to the address mentioned above
Set Sinkhole IPv6 to the address mentioned above ::1

You then have to apply this security profile to your outbound internet Security Policy/Rule. Select the Rule > Actions > Choose Anti-Spyware Profile

If you want to log who is hitting the sinkhole address you will need to create a deny rule.


Commit the Config

Palo Alto : Reconnaissance Protection Whitelist

Recently I have been implementing a software called Insight VM by Rapid 7 which runs reconnaissance on our network looking for vulnerabilities. Whilst this software is scanning, I was finding the Firewall would block it (like its supposed to) and then complain like crazy that it and its Network was being targeted. 27,000 email over night I decided to research how to solve this issue. Luckily Palo Alto have thought about this.

Here is how to implement Reconnaissance Protection Whitelist:

Select Network>Network Profiles>Zone Protection>Reconnaissance Protection to add a source address exclusion whitelist to your zone protection Profile.

Add an address to your source address exclusion whitelist. You add up to 20 IP addresses or netmask address objects.