https://live.paloaltonetworks.com/t5/general-topics/fqdn-cache-limitations/m-p/245581#M69970 <P>I wanted to reach out tot he community and see how people are handling FQDN cache limit issues.&nbsp;</P><P>Example:</P><P>&nbsp;</P><P>* Internal DNS caches up to 8 IPs for each FQDN</P><P>* PAN device will cache up to 10 (source:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0</A>)</P><P>&nbsp;</P><P>If you have a security policy that allows traffic to blah.domain.com and that FQDN is in AWS and could be 20/30/100 IPs your traffic will not always hit the policy allowing the traffic you want to allow since the IP address the application happens to hit will not always be in the FQDN cache.</P><P>&nbsp;</P><P>possible solution #1: have the vendor add more FQDNs (good luck)</P><P>possible solution #2: manually add a ton of IPs to the security policy (horrible idea)</P><P>possible solution #3: leave it alone and accept that the application will try again and eventually hit an IP that is cached</P><P>possible solution #4: Ask the vendor to use a load balancer (good luck)</P><P>possible solution #5: ?</P><P>&nbsp;</P><P>Anyone else run into this? I know there has to be a limit somewhere but I can see this being more and more of an issue as things are moved into the cloud.</P> Thu, 10 Jan 2019 18:57:26 GMT hshawn 2019-01-10T18:57:26Z https://live.paloaltonetworks.com/t5/general-topics/fqdn-cache-limitations/m-p/245581#M69970 <P>I wanted to reach out tot he community and see how people are handling FQDN cache limit issues.&nbsp;</P><P>Example:</P><P>&nbsp;</P><P>* Internal DNS caches up to 8 IPs for each FQDN</P><P>* PAN device will cache up to 10 (source:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0</A>)</P><P>&nbsp;</P><P>If you have a security policy that allows traffic to blah.domain.com and that FQDN is in AWS and could be 20/30/100 IPs your traffic will not always hit the policy allowing the traffic you want to allow since the IP address the application happens to hit will not always be in the FQDN cache.</P><P>&nbsp;</P><P>possible solution #1: have the vendor add more FQDNs (good luck)</P><P>possible solution #2: manually add a ton of IPs to the security policy (horrible idea)</P><P>possible solution #3: leave it alone and accept that the application will try again and eventually hit an IP that is cached</P><P>possible solution #4: Ask the vendor to use a load balancer (good luck)</P><P>possible solution #5: ?</P><P>&nbsp;</P><P>Anyone else run into this? I know there has to be a limit somewhere but I can see this being more and more of an issue as things are moved into the cloud.</P> Thu, 10 Jan 2019 18:57:26 GMT https://live.paloaltonetworks.com/t5/general-topics/fqdn-cache-limitations/m-p/245581#M69970 hshawn 2019-01-10T18:57:26Z https://live.paloaltonetworks.com/t5/general-topics/fqdn-cache-limitations/m-p/245595#M69976 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42784">@hshawn</a></P><P>Solution #6: Script it.&nbsp;</P><P>Through the API you could use a script to gather the 100 IPs a domain could be tied to, and then you could create address objects for each address and create an address-group that consists of the recorded IPs. Whenever that script runs you simply take the last recorded results and remove them, rebuild the list via the current pulled results, and then schedule a commit so that you keep the address-group clean of unused addresses.&nbsp;</P> Thu, 10 Jan 2019 20:30:55 GMT https://live.paloaltonetworks.com/t5/general-topics/fqdn-cache-limitations/m-p/245595#M69976 BPry 2019-01-10T20:30:55Z https://live.paloaltonetworks.com/t5/general-topics/fqdn-cache-limitations/m-p/245597#M69977 <P>Solution 6.1# Script it and use dynamic address groups. This way you don't need to commit changes as they will be active immediately:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/pan-os-xml-api-request-types/apply-user-id-mapping-and-populate-dynamic-address-groups-api" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/pan-os-xml-api-request-types/apply-user-id-mapping-and-populate-dynamic-address-groups-api</A></P> Thu, 10 Jan 2019 20:44:48 GMT https://live.paloaltonetworks.com/t5/general-topics/fqdn-cache-limitations/m-p/245597#M69977 Remo 2019-01-10T20:44:48Z