Why do I see "Suspicious TLS Evasion Found" (14978) and "Suspicious HTTP Evasion Found" (14984) false positives? (2024)

The purpose of these special evasion signatures, "Suspicious TLS Evasion Found"(14978) and "Suspicious HTTP Evasion Found" (14984), is todetect an internal client crafting a packet in order to evade URL Filtering.

For example, If auser wanted to visit a site that was being blocked by a URL category. An evader (user) could trick URL Filtering into thinking the category is "search engines".

In the case of HTTPS traffic, the evader wouldbe crafting an HTTPS request with the Server Name Indication (SNI) field in the Client Hello packet. In the case of HTTP traffic, the evader would be crafting an HTTP request with the "Hostname" field. Either field for HTTPS or HTTP could be changed togoogle.comand point the request to a different IP address, hence evading URL Filtering detection.

Thesesignatures will check the SNI (for HTTPS) or Hostname (for HTTP) FQDN in the request and ensure there was a previously seenDNS query in DNS Proxy that matches the target domain.

For there to be a comparable DNS record, the DNS Proxy feature in the Palo Alto Networks firewall needs to be in use. The potential inaccuracy of these signatures is if they are not leveraged with the recommended configuration of DNS Proxy in the Palo Alto Networks firewall.

For this reason, oftentimesan exception for informational Threat ID's of 14978 and 14984 action to "allow" or "alert" may be needed. For instructions please see:
How to Use Anti-Spyware, Vulnerability, and Antivirus Exceptions to Block or Allow Threats

If specific IP addresses need to be excepted, please see:
Why IP addresses under "IP address exemptions" of spyware threat exception was not excepted from spyware modified action.

The following articledetails the configuration and usage of DNS Proxy on the Palo Alto Networks firewall:
How to Configure DNS Proxy on a Palo Alto Networks Firewall