topic Re: PaloAlto and DNS in General Topics

PaloAlto and DNS

dtran — Sun, 06 Dec 2020 01:09:41 GMT

I have PAN running version 8.1.17 and it is configured with two DNS servers on the management interface, you know the usual, nothing special. I have security and NAT rule on the PAN firewall the uses FQDN.

Is there a way to detect when the PAN fails to query the DNS server? Is there anything in the system log that will tell me the PAN can NOT resolve DNS queries because DNS servers are not available?

Re: PaloAlto and DNS

MP18 — Sun, 06 Dec 2020 23:32:14 GMT

@dtran

DNS is used by the Management plane and you will not see the logs in the system logs.

If you have two DNS servers configured for MP then if first one does not work it will try second.

To see the logs of the DNS server you this command

dmin@BMS> tcpdump filter "port 53"

Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

^C6 packets captured

6 packets received by filter

0 packets dropped by kernel

admin@BMS> view-pcap mgmt-pcap mgmt.pcap

16:27:32.181752 IP 192.168.1.10.51698 > 10.25.51.60.domain: 39467+ A? pool.ntp.org. (30)

16:27:32.181783 IP 192.168.1.10.51698 > 10.25.51.60.domain: 48046+ AAAA? pool.ntp.org. (30)

16:27:32.421488 IP 10.25.51.60.domain > 192.168.1.10.51698: 48046 0/1/0 (85)

16:27:32.421675 IP 10.25.51.60.domain > 192.168.1.10.51698: 39467 4/0/0 A 216.55.208.22, A 205.206.70.7, A 68.69.221.61, A 209.115.181.110 (94)

16:27:35.212415 IP 192.168.1.10.37727 > 10.25.51.60.domain: 1564+ [1au] AAAA? home-fw.ecobee.com. (47)

16:27:35.214506 IP 10.25.51.60.domain > 192.168.1.10.37727: 1564 1/1/1 CNAME home-fw.hm-prod.ecobee.com. (167)

Where 192.168.1.10 is Management IP of the PA

10.25.51.50 is my Internal DNS server.

Regards

Re: PaloAlto and DNS

dtran — Mon, 07 Dec 2020 02:54:22 GMT

I know how DNS works and I also know how tcpdump work but that is not my question.

If the PAN can NOT communicate with DNS over the MP for FQDN resolution, will there any messages in the system log file that will tell me? Apparently, I see messages in the system file for LDAP, but not DNS. Why?

Re: PaloAlto and DNS

Mick_Ball — Mon, 07 Dec 2020 11:44:49 GMT

seems i only get a resolve error... not an actual connection error....

Re: PaloAlto and DNS

MP18 — Sun, 13 Dec 2020 00:47:53 GMT

@dtran Seems this is by PA design

If you wanna see failure logs for DNS server in system logs you can check with your SE and ask for feature request.

As @Mick_Ball mentioned you will only see logs for may show type :general and description description contains 'Connection to Update server closed: updates.paloaltonetworks.com, source: '

If you wanna see additional info you can check the

ms.logs which is part of the management server logs, show it failed to check, but it does not give me any information about DNS failure

"error code-1" may indicate connection failure

020-12-12 14:36:15.666 -0800 Error: pan_mgmtop_support_check_handler(pan_ops_common.c:10318): Error removing file:/opt/pancfg/mgmt/global/supportinfo.xml.10277
2020-12-12 14:36:15.666 -0800 updater error code:-1
'cfg.platform.express-mode': NO_MATCHES
NO_MATCHES
NO_MATCHES
2020-12-12 14:37:31.116 -0800 ### MS-DB: RuleHit update: /opt/pancfg/mgmt/devices/localhost.localdomain/rule-hit-count-db.txt
2020-12-12 14:38:07.573 -0800 updater error code:-1

Hope this helps

Regards

Re: PaloAlto and DNS

jdelio — Wed, 27 Jan 2021 16:37:15 GMT

The question that I have, is exactly what is happening to you?