https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/339397#M85235 <P>Hi All ,</P><P>&nbsp;</P><P>I am planning to use FQDN based address for security policy&nbsp; . Any&nbsp;</P><P>best practice to follow . As we have concern related to FQDN dns cache on firewall . And if we are connecting to cloud ( using hybrid setup)&nbsp; any specific recommendation for that as well .</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Sat, 18 Jul 2020 10:00:24 GMT deepak12 2020-07-18T10:00:24Z https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/339397#M85235 <P>Hi All ,</P><P>&nbsp;</P><P>I am planning to use FQDN based address for security policy&nbsp; . Any&nbsp;</P><P>best practice to follow . As we have concern related to FQDN dns cache on firewall . And if we are connecting to cloud ( using hybrid setup)&nbsp; any specific recommendation for that as well .</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Sat, 18 Jul 2020 10:00:24 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/339397#M85235 deepak12 2020-07-18T10:00:24Z https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/339411#M85236 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; &nbsp;</P><P>&nbsp;</P><P>HI&nbsp; ,</P><P>&nbsp;</P><P>Could you please give any suggestion here .</P><P>&nbsp;</P><P>Thanks ..</P> Sat, 18 Jul 2020 15:17:50 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/339411#M85236 deepak12 2020-07-18T15:17:50Z https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/340060#M85368 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/104297">@deepak12</a>,</P><P>&nbsp;</P><P>There are no as such best practice to follow. The only thing you need to consider is DNS configuration on the firewall. As when FQDN based object is configured on firewall, the MGMT plane sends DNS query requests to the configured DNS servers and populates all the IP addresses associated with configured FQDN object. These IP addresses are then forwarded to dataplane and act according to the security policy actions.</P><P>&nbsp;</P><P>Here for Dataplane, this object only acts as a IP address but not as FQDN/domain. There is limit of max 10 IP addresses which are mapped by firewall to one FQDN object. There's no way to modify this limit. In this type of object, you cant configure wildcard domain. For wildcard domains, custom URL category it the option.</P><P>&nbsp;</P><P>Hope it helps!</P><P>Mayur</P> Wed, 22 Jul 2020 14:45:17 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/340060#M85368 SutareMayur 2020-07-22T14:45:17Z https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/340061#M85369 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp;,</P><P>Hi Mayur ,</P><P>&nbsp;</P><P>Thanks for your help. My concern was mainly due to FQDN cache on firewalls.&nbsp;</P><P>I have one more question.supoose we have fqdn along with Uri path like <A href="https://abc.company.com/check/folder" target="_blank">https://abc.company.com/check/folder</A>..</P><P>For this case just using fqdn based address will work or need to go for custom url for this as well.</P><P>&nbsp;</P><P>Thanks..</P> Wed, 22 Jul 2020 14:52:25 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/340061#M85369 deepak12 2020-07-22T14:52:25Z https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/340230#M85395 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/104297">@deepak12</a>It will work.</P><P>For data plane request for <A href="https://abc.company.com/check/folder" target="_blank" rel="nofollow noopener noreferrer noopener noreferrer">https://abc.company.com/check/folder</A>.. will get as <A href="https://abc.company.com/check/folder" target="_blank" rel="nofollow noopener noreferrer noopener noreferrer">https://&lt;FQDN-IP-Address&gt;/check/folder</A>..</P><P>You only need to add object without https:// and any URI.</P><P>&nbsp;</P><P>Mayur</P> Thu, 23 Jul 2020 06:36:10 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/340230#M85395 SutareMayur 2020-07-23T06:36:10Z https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/340335#M85428 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp;</P><P>&nbsp;</P><P>Thanks for your help ...</P> Thu, 23 Jul 2020 14:23:36 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/340335#M85428 deepak12 2020-07-23T14:23:36Z https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/568942#M114789 <P>Hello All,</P> <P>Also use a secure DNS provider as an added layer.&nbsp;<A href="https://www.youtube.com/watch?v=ROIAYSEbTuo" target="_blank">https://www.youtube.com/watch?v=ROIAYSEbTuo</A></P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> Thu, 07 Dec 2023 20:35:07 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-setup-best-practice/m-p/568942#M114789 OtakarKlier 2023-12-07T20:35:07Z