56111
Created On12/11/20 22:27 PM - Last Modified12/14/23 13:09 PM
What arethese "Suspicious TLS Evasion Found" (14978) and "Suspicious HTTP Evasion Found" (14984) Anti-Spyware signatures, and why are they triggering false positives? The purpose and use of these signatures is described at The purpose of these special evasion signatures, "Suspicious TLS Evasion Found"(14978) and "Suspicious HTTP Evasion Found" (14984), is todetect an internal client crafting a packet in order to evade URL Filtering. For example, If auser wanted to visit a site that was being blocked by a URL category. An evader (user) could trick URL Filtering into thinking the category is "search engines". In the case of HTTPS traffic, the evader wouldbe crafting an HTTPS request with the Server Name Indication (SNI) field in the Client Hello packet. In the case of HTTP traffic, the evader would be crafting an HTTP request with the "Hostname" field. Either field for HTTPS or HTTP could be changed togoogle.comand point the request to a different IP address, hence evading URL Filtering detection. Thesesignatures will check the SNI (for HTTPS) or Hostname (for HTTP) FQDN in the request and ensure there was a previously seenDNS query in DNS Proxy that matches the target domain. For there to be a comparable DNS record, the DNS Proxy feature in the Palo Alto Networks firewall needs to be in use. The potential inaccuracy of these signatures is if they are not leveraged with the recommended configuration of DNS Proxy in the Palo Alto Networks firewall. For this reason, oftentimesan exception for informational Threat ID's of 14978 and 14984 action to "allow" or "alert" may be needed. For instructions please see: If specific IP addresses need to be excepted, please see: The following articledetails the configuration and usage of DNS Proxy on the Palo Alto Networks firewall:Question
Environment
Answer
How to Use Anti-Spyware, Vulnerability, and Antivirus Exceptions to Block or Allow Threats
Why IP addresses under "IP address exemptions" of spyware threat exception was not excepted from spyware modified action.
How to Configure DNS Proxy on a Palo Alto Networks FirewallAdditional Information
In certain cases, if the Domain is incorrectly configured in the firewall (Under Device>Setup>Management>General Settings), there may be queries sourced by the firewall that automatically add the incorrect suffix to its own queries. If you observe signature triggers where the source is the firewall then an incorrect configured domain in the firewall could be the culprit.