topic Re: Passive firewall DNS request in General Topics

Passive firewall DNS request

SOC_CSG — Mon, 24 Feb 2014 06:34:31 GMT

Hi,

We have a cluster PA (active/passive), and checking the logs we realised that PA passive is sending DNS connections to its DNS configure like secondary. Shouldnt do this connection only the active PA???? why the passive is doing this request DNS being the passive firewall???

Thanks,

Best regards

Jesus C.

Re: Passive firewall DNS request

HULK — Mon, 24 Feb 2014 07:03:08 GMT

Hello Jesus,

I hope your Passive firewall's management interface connected with your network. For example: if you try to download the dynamic updates on your passive firewall, it will send a DNS request for updates.paloaltonetwork.com to resolve it.

Could you please verify what request the Passive node is sending to your DNS server...?

Thanks

Re: Passive firewall DNS request

SOC_CSG — Mon, 24 Feb 2014 07:40:01 GMT

This is our config in the palo alto.

DNS services
- PA-2050-10.84.96.115 PA-01(active)
  - Primary DNS Server 146.219.39.201
  - Secondary DNS Server 146.219.39.202

PA-2050-10.84.96.116 PA-02(passive)
- Primary DNS Server 192.168.1.1
- Secondary DNS Server 194.179.1.121

So i can see in the logs in FW1 (active), that there is a connection from management interface FW2 (10.84.96.116) to destination its DNS secondary 194.179.1.121........why does FW2 do this connection??

I attach the logs in FW1

A tool in the DNS server is detecting these request like a attack....

…

Re: Passive firewall DNS request

${userLoginName} — Tue, 18 Mar 2014 13:44:21 GMT

Can you also see the content of the DNS requests? It is possible that these are requests to resolve updates.paloaltonetworks.com, and that it keeps on trying to resolve this if it is not getting a response.

The secondary firewall will also try to do updates, if it is configured to do this (Device - Dynamic updates)

Re: Passive firewall DNS request

Phoenix — Tue, 18 Mar 2014 14:30:27 GMT

Hello COS,

If we look at the packet capture for the DNS request we can know to what domain the request is happening. If the domain is fake / repetitive / in excess then it can be termed an attack or so. If the domains are genuine and if they are related to paloalto then it is normal.

( Apps and Threat updates, software updates, url database updates and so on )

We will have to find what kind of request is going for the dns server based on that we can configure the firewall management interface to either fetch that data or deny. For instance if Dynamic updates are not needed then we can set the schedule to none so that it does not fetch the content updates.

We see that all the request to the DNS server is from the management interface. If this is not needed then through the service routes you can customize it to go through any other data ports or probably block traffic on path or remove routes to the dns and so on.

Hope this helps.