I have configured a firewall rule to allow some servers to ssh to vs-ssh.visualstudio.com to allow the servers to use ssh to connect to the git repo of Azure devops.
This rule uses fqdn address object to allow the servers to only connect on ssh to this server. The problem is that this dns address resolves to 1 ip address, but it changes each time you query (especially if you use google dns) and the record has a very short TTL (60 seconds). Which means even if the server and the palo alto firewall both use the same dns proxy to resolve the record, the server could still get a different ip address back than the firewall has stored in the running security policies.
The only solution I can see is try to override the TTL of the dns entries and force that entries have a minimum TTL of 10 minutes. Except that I wouldn't know how to do this with just the Palo Alto firewall. DNS proxy has the option to change TTL in its cache, but that is to force dns proxy to cache entries for the maximum of that value.
vs-ssh.visualstudio.com isn't the only dns record which has this issue. More and more content delivery networks are using this trick (other example is crl.microsoft.com).
With PAN-OS 8.1 you can lower the fqdn refresh to 60 seconds on the firewall, however, apparently only on the VM-Series:
FQDN Refresh Time Enhancement:
In PAN-OS 8.1, VM-Series firewalls support a larger range for the FQDN Refresh Time than in prior releases. The range is now 60-14,399 seconds, which allows VM-Series firewalls to refresh the IP addresses for an FQDN at shorter intervals. A shorter refresh time is helpful for VM-Series firewalls in cloud deployments where IP addresses for FQDNs change frequently. The shorter refresh time along with the support for using the FQDN of a load balancer in Destination NAT policy (Dynamic IP Address Support for Destination NAT) makes it easier for you to deploy the Amazon ELB service and any other FQDN-based load balancer to distribute sessions evenly across more than one IP address.
Tnx.Sorry for the slow reply. I missed the email notification for the reply.
Setting refresh rate to 60 seconds would work most of the time. As the dns proxies ask a different dns server the TTL that server might have for a record might be below 60 seconds and than you will stil get a difference between address the firewall has and the client gets.
And I am not sure what the impact is of forcing the firewall to rewrites its firewall rules every 60 seconds.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!