Enable DNS Secintel Detection
-
Configure DNS profile. In this example, the profile name is
dns-profile. For allowlisted feeddns-feed-1, the DNS request is logged and access is allowed. For custom DNS feedcustom-dns-feed-1, the DNS request is configured for sinkholing.set security-intelligence profile dns-profile category DNS set security-intelligence profile dns-profile rule dns-rule-1 match feed-name dns-feed-1 set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 1 set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 2 set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 3 set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 4 set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 5 set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 6 set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 7 set security-intelligence profile dns-profile rule dns-rule-1 then action permit set security-intelligence profile dns-profile rule dns-rule-1 then log set security-intelligence profile dns-profile rule dns-rule-2 match feed-name custom-dns-feed-1 set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 8 set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 9 set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 10 set security-intelligence profile dns-profile rule dns-rule-2 then action sinkhole set security-intelligence profile dns-profile rule dns-rule-2 then log
Configure DNS sinkhole if the action is set as sinkhole. See Configure DNS Sinkhole.
-
Configure DNS policy.
set security-intelligence policy dns-policy category DNS security-intelligence-profile dns-profile
-
Configure a security policy and assign the DNS policy to the security policy.
set policies from-zone trust to-zone untrust policy security-policy match source-address any set policies from-zone trust to-zone untrust policy security-policy match destination-address any set policies from-zone trust to-zone untrust policy security-policy> match application any set policies from-zone trust to-zone untrust policy security-policy then permit application-services security-intelligence-policy dns-policy
To display DNS statistics for logical systems and tenant systems, use the following commands:
show services security-intelligence dns-statistics logical-system logical-system-name
show services security-intelligence dns-statistics tenant tenant-name
To display DNS profile statistics for logical systems and tenant systems, use the following commands:
show services security-intelligence dns-statistics profile p1 logical-system logical-system-name
show services security-intelligence dns-statistics profile p1 tenant tenant-name
To display all DNS statistics for logical systems and tenant systems, use the following commands:
show services security-intelligence dns-statistics logical-system all
show services security-intelligence dns-statistics tenant all
show services security-intelligence dns-statistics
To clear statistics for DNS filtering, use the following commands:
clear services security-intelligence dns-statistics logical-system logical-system-name
clear services security-intelligence dns-statistics logical-system all
clear services security-intelligence dns-statistics