Skip to main content

Search

Exempting your Canaries from Palo Alto Firewall blocking

  • Updated

This guide applies to Palo Alto V9 and above. To access the DNS Security service, you must have a valid Threat Prevention and DNS Security license.

Inside different networks across the world, Canaries communicate seamlessly over DNS with the Canary Console. On a handful of networks with Palo Alto devices, however, Canaries may have some of their DNS traffic blocked by the firewall. This article shows how to exempt Canaries from being blocked by the firewall mistakenly flagging their DNS traffic as malicious.

Palo Alto firewalls have several built-in Threat rules that can trigger DNS tunnelling. The known ones liable to block Canary traffic are:

  • DNS Tunnel Data Infiltration Traffic Detection (ID: 18003)
  • DNSExfiltrator DNS Tunnel Data Exfiltration Traffic (ID: 18084)
  • DNS Tunnel Based Command and Control (ID: 18658)
  • Pisloader.Backdoor Command and Control Traffic (ID: 18812)
  • DNSpionage Command and Control Traffic (ID: 18823)

If any other DNS tunnelling rules do block Canary traffic they will show up in the firewall logs blocking DNS TXT queries for domains that end in .cnr.io.

The aim of the steps below is to exempt the specific Canaries, by their source IPs, for one of the rules listed above.

In your Palo Alto control panel, navigate to Objects, then Security Profiles and then Anti-Spyware:

Step 1: Open the Anti-Spyware Profile that is currently used by your org and cause the Canary DNS Tunneling alerts  (in this screenshot: ‘Org DNS Protection Profile’)

mceclip0.png

Step 2: Navigate to the Exceptions tab  

mceclip1.png

Step 3: Select 'Show all signature'

mceclip2.png

Step 4: In the Search bar, enter "DNS Tunnel"

mceclip4.png

Step 5: Click Enable next to the detection signature which flags the Canary traffic (in this screenshot: ‘DNS Tunnel Data Infiltration Traffic Detection’), then click on the empty rectangle under IP Address Exemptions

mceclip6.png

 Step 6: Select Add, and add the IP addresses of the Canaries

mceclip7.png

Step 7: Click OK twice, and then Commit

mceclip8.png

And you're done!

If ever you see that a Canary triggers another tunnelling rule, simply go back to the Anti-Spyware profile created here and add that rule. (If you let us know, we'll update this page.) It's important to note that you have to add the Canary source IP addresses to each rule's IP exemption list individually. 

 

Was this article helpful?
3 out of 4 found this helpful
Return to top