Create Domain Exceptions and Allow | Block Lists
Focus
Focus
Advanced DNS Security Powered by Precision AI™

Create Domain Exceptions and Allow | Block Lists

Table of Contents

Create Domain Exceptions and Allow | Block Lists

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced DNS Security License (for enhanced feature support) or DNS Security License
  • Advanced Threat Prevention or Threat Prevention License
DNS Security creates threat signatures for domains that have been analyzed by the DNS Security service. For these known domains, the signatures are referenced when a DNS query is received. In some cases, it might be possible that the signature has incorrectly categorized a domain as a threat, due to certain features or qualities present in the domain. In such circumstances, you can add signature exceptions to bypass these false-positives. If there are known safe domains that are categorized as malicious, such as internal domains, you can add a list of domains that will bypass any DNS analysis. If your organization uses third party threat feeds as part of a comprehensive threat intelligence solution, you can also reference those in the form of external dynamic lists (EDLs) in your DNS Security profile.

Create Domain Exceptions and Allow | Block Lists (Strata Cloud Manager)

  1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
  2. Add domain overrides in cases where false-positives occur.
    1. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDNS Security and select a DNS Security profile to modify.
    2. Add Override or Delete to modify the domain list entries as necessary. Each additional entry requires the domain and a description.
    3. Click OK to save your modified DNS Security profile.
  3. Reference an external dynamic list (EDL) as part of your DNS Security profile to import third party threat feeds.
    1. Create an domain-based external dynamic list (ManageConfigurationNGFW and Prisma AccessObjectsExternal Dynamic Lists). For more information about EDLs, see External Dynamic List.
    2. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDNS Security.
    3. In the External Dynamic Lists panel, select a domain list EDL and provide the Policy Action and Packet Capture settings. In Apply to Profiles, select the DNS Security profile for which you want the EDL domain list to apply to.
    4. Save your changes when you have finished making your updates.

Create Domain Exceptions and Allow | Block Lists (NGFW (Managed by PAN-OS or Panorama))

PAN-OS 10.0 and later releases provide an additional option to explicitly add allowable domains through the Anti-Spyware security profile. You can add domain/FQDN entries for approved domain sources if they trigger a false-positive response from DNS Security.

Create Domain Exceptions and Allow | Block Lists (PAN-OS 10.0 and later)

  • Add domain signature exceptions in cases where false-positives occur.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Select a profile to modify.
    3. Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Exceptions.
    4. Search for a DNS signature to exclude by entering the name or FQDN.
    5. Select the checkbox for each Threat ID of the DNS signature that you want to exclude from enforcement.
    6. Click OK to save your new or modified Anti-Spyware profile.
  • Add an allow list to specify a list of DNS domains / FQDNs to be explicitly allowed.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Select a profile to modify.
    3. Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Exceptions.
    4. To Add a new FQDN allow list entry, provide the DNS domain or FQDN location and a description.
    5. Click OK to save your new or modified Anti-Spyware profile.

Create Domain Exceptions and Allow | Block Lists (PAN-OS 9.1)

Allow and block lists are not available in PAN-OS 9.1.
  • Add domain signature exceptions in cases where false-positives occur.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Select a profile to modify.
    3. Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Signatures > Exceptions.
    4. Search for a DNS signature to exclude by entering the name or FQDN.
    5. Select the DNS Threat ID for the DNS signature that you want to exclude from enforcement.
    6. Click OK to save your new or modified Anti-Spyware profile.