topic Re: What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach in General Topics

What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach DNS

fatboy1607 — Mon, 30 Sep 2019 16:37:18 GMT

What will happen in that case when DNS server becomes unreachable ?

Would destination server be unreachable ?

Possible solution if DNS server gets unreachable.

Re: What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach

myky — Mon, 30 Sep 2019 21:17:56 GMT

FYI:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbhCAC

Re: What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach

reaper — Mon, 30 Sep 2019 21:22:10 GMT

the fqdnobject will retain it's ild mapping even after the TTL expires if the dns server is unreachable at the time of expiry

Re: What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach

BPry — Mon, 30 Sep 2019 21:23:07 GMT

@fatboy1607,

So the only time the firewall actually takes TTL into account is 9.0 and later, otherwise 8.1 and lower don't care about the records TTL. Within 9.0 you have an option of configuring both a Minimum FQDN refresh, along with a Stale Entry timeout. The Stale Entry setting is what you will want to look at and configure appropriately, as that's how long the firewall will continue to use its cache for FQDN objects if the DNS server isn't reachable.

Prior to 9.0; the firewall doesn't take into account the TTL. It would refresh at whatever interval you have configured and if the DNS server became unreachable it would utilize it's cache entry until it was able to either refresh, the firewall was restarted, or the cache was cleared.