Advanced Threat Prevention Powered by Precision AI®
Enable Evasion Signatures
Table of Contents
Enable Evasion Signatures
Evasion signatures detect sophisticated HTTP and TLS threats by identifying domain
mismatches.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Palo Alto Networks evasion signatures provide a critical layer of defense against
sophisticated threats that attempt to bypass security filters by crafting
inconsistent HTTP or TLS requests. These signatures are specifically designed to
identify and alert on instances where a client initiates a connection to a domain
that differs from the one specified in the initial DNS query. This capability is
vital for detecting advanced evasion tactics, such as domain fronting or
unauthorized tunneling, where an attacker attempts to hide malicious traffic inside
seemingly legitimate protocol handshakes.
The NGFW must maintain visibility into the client's name resolution
process. Consequently, evasion signatures are only functional when the firewall is
configured to act as a DNS proxy, allowing it to resolve domain name queries and
cache the intent of the client. By correlating the intercepted DNS request with the
subsequent application-layer traffic, the firewall can accurately identify
destination mismatches that would otherwise bypass standard pattern-matching
signatures.
As a best practice, administrators should ensure the DNS proxy feature is enabled on
the relevant interfaces before deploying evasion-specific signatures within their
Anti-Spyware or Vulnerability Protection profiles. Once the DNS proxy is active, the
firewall can cross-reference the cached DNS data with HTTP Host headers or TLS
Server Name Indication (SNI) fields. This integrated approach ensures that any
attempt to circumvent security policies through destination manipulation is logged
and mitigated in real-time.
- Enable a firewall intermediate to clients and servers to act as a DNS proxy.Configure a DNS Proxy Object, including:
- Specify the interfaces on which you want the firewall to listen for DNS queries.
- Define the DNS servers with which the firewall communicates to resolve DNS requests.
- Set up static FQDN-to-IP address entries that the firewall can resolve locally, without reaching out to DNS servers.
- Enable caching for resolved hostname-to-IP-address mappings.
Get the latest Applications and Threats content version (at least content version 579 or later).- Select .Check Now to get the latest Applications and Threats content update.Download and Install Applications and Threats content version 579 (or later).Define how the firewall should enforce traffic matched to evasion signatures.
- Select and Add or modify an Anti-spyware profile.Select Exceptions and select Show all signatures.Filter signatures based on the keyword evasion.For all evasion signatures, set the Action to any setting other than allow or the default action (the default action is for evasion signatures is allow). For example, set the Action for signature IDs 14978 and 14984 to alert or drop.Click OK to save the updated Anti-spyware profile.Attach the Anti-spyware profile to a security policy rule: Select , select the desired policy to modify and then click the Actions tab. In Profile Settings, click the drop-down next to Anti-Spyware and select the anti-spyware profile you just modified to enforce evasion signatures.Commit your changes.Click Commit.
