What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach DNS

Reply
L4 Transporter

What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach DNS

 What will happen in that case when DNS server becomes unreachable ?

 

Would destination server be unreachable ? 

 

Possible solution if DNS server gets unreachable.

Tags (3)
L3 Networker

Re: What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach

Community Manager

Re: What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach

the fqdnobject will retain it's ild mapping even after the TTL expires if the dns server is unreachable at the time of expiry


Help the community: Like helpful comments and mark solutions
Reaper out
Highlighted
L7 Applicator

Re: What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach

@MandarKulkarni,

So the only time the firewall actually takes TTL into account is 9.0 and later, otherwise 8.1 and lower don't care about the records TTL. Within 9.0 you have an option of configuring both a Minimum FQDN refresh, along with a Stale Entry timeout. The Stale Entry setting is what you will want to look at and configure appropriately, as that's how long the firewall will continue to use its cache for FQDN objects if the DNS server isn't reachable.

 

Prior to 9.0; the firewall doesn't take into account the TTL. It would refresh at whatever interval you have configured and if the DNS server became unreachable it would utilize it's cache entry until it was able to either refresh, the firewall was restarted, or the cache was cleared. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!