DNS Sinkholing is not enabled-paloaltonetworks-panos
Vendor: paloaltonetworks
OS: panos
Description:
Indeni will alert if DNS Sinkholing is not enabled on one of the Anti-Spyware profiles.
Remediation Steps:
Ensure all Anti-Spyware profiles have dns sinkholing enabled.
How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured anti-spyware profiles and check if any of them does not have this feature enabled. The alarm should dump the name of the anti-spyware profile.
Why is this important?
DNS sinkholing helps to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client’s DNS query. Infected hosts can then be easily identified in the traffic logs because any host that attempts to connect to the sinkhole IP address is most likely infected with malware.
Without Indeni how would you find this?
Login to the device’s web interface and click on “Objects” -> “Security Profiles” -> “Anti-Spyware” and check each profile manually.
panos-dns-sinkhole
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/panos-anti-spyware-dns-sinkhole/panos-anti-spyware-dns-sinkhole.ind.yaml
PanosAntiSpywareSinkholingRule
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosAntiSpywareSinkholingRule.scala