Palo Alto Networks provides various security features and
functionalities in their firewall products to help protect against zombie or
botnet activity. While they may not specifically refer to it as
"Anti-Zombie," their firewalls offer several capabilities that can
help mitigate the risk of botnet infections and control compromised devices.
Here are some features that Palo Alto Firewalls typically provide:
1. Threat Prevention
2. Intrusion Prevention System (IPS)
3. URL Filtering
4. DNS Sinkholing
5. Threat Intelligence Integration
6. Behavioral Analysis
The list above is great, but its interesting to me that Paloalto as custom reports that show possible Bot traffic on your network. It's worth noting that the specific features and capabilities can vary depending on the Palo Alto Firewall model and software version.
To Configure a Botnet Reports try the following:
Define the types of traffic that indicate possible botnet activity.
1. Select Monitor > Botnet and click Configuration on the right side of the page.
2. Enable and
define the Count for each type
of HTTP Traffic that the report will include.
The Count values
represent the minimum number of events of each traffic type that must occur for
the report to list the associated host with a higher confidence score (higher
likelihood of botnet infection). If the number of events is less than the Count, the report will display a lower
confidence score or (for certain traffic types) won’t display an entry for the
host. For example, if you set the Count to
three for Malware URL visit,
then hosts that visit three or more known malware URLs will have higher scores
than hosts that visit less than three. For details, see Interpret Botnet
Report Output.
3. Define
the thresholds that determine whether the report will include hosts associated
with traffic involving Unknown TCP or Unknown UDP applications.
4. Select the IRC check
box to include traffic involving IRC servers.
5. Click OK to save the report configuration.
Once the report is complete, you will hopefully see nothing on your network :)
Confidence ranks from 1-5.
5 = high confidence of infection.
