No Valid DNS Security License - Resolved

SteveBrown808 — Fri, 19 Aug 2022 23:29:34 GMT

We did a trial of DNS Security, after its expiration pushes from Panorama failed with warning "No Valid DNS Security License" Did a fair bit of searching, only real suggestion was here, that said to set all DNS Policies to Allow, that did not resolve the warning. Tried setting DNS Signatures to Default, still same commit warning.

Poking around CLI, I was able to delete all the botnet-domains in our Spyware profile, commit and push with ZERO warnings; this successfully removed the DNS Security warnings. Hallelujah!

I've not been able to find this anywhere, and so far Support doesn't seem to know about it either; their suggestion was what I found (set all to allow) that does not work.

Before:

admin@Panorama# show shared profiles spyware "Default Anti-Spyware"
set shared profiles spyware "Default Anti-Spyware" rules simple-critical action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-critical severity critical
set shared profiles spyware "Default Anti-Spyware" rules simple-critical threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical category any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-high action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-high severity high
set shared profiles spyware "Default Anti-Spyware" rules simple-high threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-high category any
set shared profiles spyware "Default Anti-Spyware" rules simple-high packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-medium action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-medium severity medium
set shared profiles spyware "Default Anti-Spyware" rules simple-medium threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium category any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium packet-capture disable
set shared profiles spyware "Default Anti-Spyware" rules simple-low action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-low severity low
set shared profiles spyware "Default Anti-Spyware" rules simple-low threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-low category any
set shared profiles spyware "Default Anti-Spyware" rules simple-low packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains lists default-paloalto-dns action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains lists default-paloalto-dns packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains sinkhole ipv4-address 127.0.0.1
set shared profiles spyware "Default Anti-Spyware" botnet-domains sinkhole ipv6-address ::1
set shared profiles spyware "Default Anti-Spyware" botnet-domains threat-exception
set shared profiles spyware "Default Anti-Spyware" threat-exception 14978 action default

After:

admin@Panorama# delete shared profiles spyware "Default Anti-Spyware" botnet-domains

admin@Panorama# show shared profiles spyware "Default Anti-Spyware"
set shared profiles spyware "Default Anti-Spyware" rules simple-critical action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-critical severity critical
set shared profiles spyware "Default Anti-Spyware" rules simple-critical threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical category any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-high action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-high severity high
set shared profiles spyware "Default Anti-Spyware" rules simple-high threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-high category any
set shared profiles spyware "Default Anti-Spyware" rules simple-high packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-medium action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-medium severity medium
set shared profiles spyware "Default Anti-Spyware" rules simple-medium threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium category any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium packet-capture disable
set shared profiles spyware "Default Anti-Spyware" rules simple-low action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-low severity low
set shared profiles spyware "Default Anti-Spyware" rules simple-low threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-low category any
set shared profiles spyware "Default Anti-Spyware" rules simple-low packet-capture disable
set shared profiles spyware "Default Anti-Spyware" threat-exception 14978 action default

Re: No Valid DNS Security License - Resolved

aleksandar.astardzhiev — Mon, 22 Aug 2022 11:45:09 GMT

Hey @SteveBrown808

Interesting finding.
Allow with packet capture disable is the default configuration. Similar to any other part of PAN XML config file, if anything is not explicetly mentioned in the config, firewall will apply the default.

However if you set this configuration to something else or just explicetly set it to allow, this will still be part of the configuration file.

It looks like the DNS license check is probably only checking if botnet-domains is refered by the configuration and not what action is applied.

Re: No Valid DNS Security License - Resolved

John_Pinegar — Fri, 17 Feb 2023 22:00:17 GMT

I found the solution to the "No Valid DNS Security License" error caused by the Anti-Spyware profile. In addition to changing the POLICY ACTION to allow and PACKET CAPTURE to disable, you need to change the LOG SEVERITY to none. I hope this helps someone. (This worked successfully on PAN-OS 10.2.2 & 10.2.3-h2)

Re: No Valid DNS Security License - Resolved

daniel337KPS — Fri, 24 Feb 2023 15:00:30 GMT

Great, that works, thank you!

Re: No Valid DNS Security License - Resolved

Mohamed_Ibrahim — Fri, 03 Mar 2023 11:16:19 GMT

Thank you, it works.

Re: No Valid DNS Security License - Resolved

JeffCalabrese — Wed, 23 Aug 2023 16:54:45 GMT

I don't feel the above solution is the complete solution. In actuality you could leave all that as is, and it doesn't matter if you created a new Anti-spyware profile or not. You can't delete the default or strict profiles or change them. So what matters is the settings located under Policies. These policies decide whether the Objects within the Security Profiles for Anti-Spyware are used.

With that said;

If you go into Policies > Security

And you check your settings there to make sure that you don't see the shield within any of your security policies under profile. If you see the shield then you are using one of the objects Anti-spyware policies.

If you click on the Security Policy Rule > Actions > Profile Setting > Profile Type. Set this to none and the shield will be replaced with none. Commit your changes and the "No DNS Security License." will no longer plague you while committing.

Re: No Valid DNS Security License - Resolved

mohammad_saqib+ — Mon, 08 Apr 2024 03:43:47 GMT

Hi Jeff may i know which shield you are exactly talking about? is it possible to share a screen shot tobe clear about what shield you are referring to ?

Re: No Valid DNS Security License - Resolved

kiwi — Thu, 11 Apr 2024 07:28:40 GMT

Hi @mohammad_saqib+ ,

He means the Security Profile icon, which is displayed as a protective shield icon in the Security Policy:

Kind regards,

-Kim.

Re: No Valid DNS Security License - Resolved

johannes4711 — Sat, 24 May 2025 09:05:01 GMT

Thank you. That was exactly the information I was missing.

topic Re: No Valid DNS Security License - Resolved in General Topics

No Valid DNS Security License - Resolved

Re: No Valid DNS Security License - Resolved

Re: No Valid DNS Security License - Resolved

Re: No Valid DNS Security License - Resolved

Re: No Valid DNS Security License - Resolved

Re: No Valid DNS Security License - Resolved

Re: No Valid DNS Security License - Resolved

Re: No Valid DNS Security License - Resolved

Re: No Valid DNS Security License - Resolved