PA 3260 Policy Rule losing DNS resolution to FQDN-defined site - 4.19.23

Paul_Carpenter — Thu, 20 Apr 2023 01:38:42 GMT

We have a policy rule that contains an FQDN-defined website destination (yandr.wiredrive.com). When initially configured to pass traffic to required cloud-based resources, DNS resolution to the wiredrive.com site would happen regularly, usually after an hour or so. A Palo Alto knowledgebase article about the Fast-DNS caching used by cloud-based resources could be remediated by reducing the FQDN resolution time from the default from 30 minutes to 10 minutes. After the recommended change, the connection functioned normally for a 10-hour shift with no issues. After a few days we noticed that the connection would be lost overnight, and could only be resolved by "toggling" the policy rule, thereby renewing the connection.

Is there a way to configure PAN-OS policy rules to ensure uninterrupted connection to the cloud-based resource, without having to manually renew the connection?

Fast-DNS Resolution Issues

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boQJCAY

How to change the FQDN Refresh Timers

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKbCAK

Thanks

Re: PA 3260 Policy Rule losing DNS resolution to FQDN-defined site - 4.19.23

Y-alwaysMe — Thu, 20 Apr 2023 08:25:45 GMT

Hi Paul,

The 10 minutes in your case is probably too long if it is resulting in loss of connectivity after a certain period

since PAN-OS 9 the timeout can be reduced to seconds and that is probably what will fix the problem for you.

see this kb article.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmq0CAC

topic Re: PA 3260 Policy Rule losing DNS resolution to FQDN-defined site - 4.19.23 in Next-Generation Firewall Discussions

PA 3260 Policy Rule losing DNS resolution to FQDN-defined site - 4.19.23

Re: PA 3260 Policy Rule losing DNS resolution to FQDN-defined site - 4.19.23