Thank you for watching !

Thank you for watching!

Hi, I have the DNS security Subscription in this video. Thank you for watching!

@@mode4480 Both licenses can provide these DNS controls, but I think the difference is that the DNS security subscription provides a real-time DNS threat DB update service, whereas with the ordinary threat prevention sub you are limited to the once a day update through the threat prevention signature update? Don't quote me on that but thats from what I can deduce so far, it's not exactly that clear.

Hi, Yes the cloud subscriptions can be a little difficult to understand is it is not very clear at all, I have had a look and come up with the following, Threat Prevention - Locally accessed through Anti-Virus and Wildfire Updates DNS Security - Cloud based analysis and ML as well as DGA/DNS tunneling etc Advanced DNS Security - All DNS Responses are sent to cloud for analysis, on PANOS 11.2 and above there are extra features for Hijacking and Domain Misconfiguration detection, ML and realtime analysis That is what I get from the documentation, hopefully that is somewhere near!

Hi That is a really good question and really does get to the problem I see with a lot of security practice today, so the categories vary in the potential for malicious traffic, and with this variance comes the need to put the standards and best practice docs largely to one side, I sinkhole the default-paloalto-dns because it is a Palo provided list of malicious or undesirable domains, and as such is best to sinkhole for reporting as well as security purposes, I would also suggest that C&C domains should be blocked as they serve no purpose, the same can be said for Grayware, Malware and Phishing, Parked domains are a grey area and while not really a 100 percent security risk you may want to block it if you were in a high security government organization just in case, but if you are in a low security environment you may not be that bothered, and the extra reporting and logging could just be noise that you want to tune out, same really for Ad tracking, these drop cookies and actively follow users so depending on your security stance I guess that would also be open to interpretation, However when it comes to things like proxy Avoidance and Anonymizers, if this profile was to added to corporate network access then I cannot see why you would want to allow a user to encrypt their traffic and avoid the vast majority of security measures that are in place, but where this profile is added to Guest networks you would most likely allow it as users are more often than not going to be VPN'd back to their corporate networks and will need that traffic allowed. Finally Newly Registered Domains, in todays hyperscaling cloud environments where DNS is crucial and services can be brought online using newly created domains or local domains, you would weigh up the quantity, if there is only a few then the exceptions list could be the way to go, but if there are likely to an exponential amount then you may want to accept the risks with New Domains, reducing the admin overhead. Hope this helps!

Hi I can honestly say that I have never seen a quic error, I suppose if the browser was now trying to force quic instead of falling back that may happen, but that would be browser side not firewall side, interesting though, I will have to look into it more, can you describe the setup you are using to get those results? Thank you for watching!