PAN-OS - DGA Exception in 10.x

Every once in a while you encounter a domain name which is legit. But it still gets marked as malware by the DNS security feature of the Palo Alto firewall.

You can of course create an exception for this specific threat. But this would make a part of your DNS security licence obsolete.

Create exception

You could create an external dynamic list and use this as a whitelist for specific DGA marked domains. Since this happens to me once in a while creating a single exception meet my needs here. For PANOS 9.x this has been described here: How to add exception for only one DGA domain while blocking the DGA category Since PANOS 10.x the syntax of the command has changed slightly.

debug dnsproxyd dns-signature response fqdn gtid 420000700 ttl 30758400 match-subdomains no verdict 9 threat-name DGA-whitelist

The value of the verdict used in the example above is ‘Whitelist’. In 10.x you have different choices:

  0        Benign
  1        Malware
  2        C2
  4        DDNS
  5        New Domain
  9        Allow list
  <value>  <0-100> Other Verdict ID

I chose to appoint this domain the status of ‘Allow list’. The command initially would not complete and returned an ‘Invalid syntax’ error. I needed to add the threat-name. So I made up the threat ‘DGA-Whitelist’. Just as a reminder to myself. I might encounter this name in my logs one day.

So the command finished successfully:

Debug dns-signature command successful.