On our Palo Altos (managed with Panorama) in the GUI the Minimum FQDN Refresh Time (sec) is set to 30 seconds.
And the FQDN Stale Entry Timeout (min) is set to 1440 mins.
But in the CLI FQDN refresh value countdown is starting at 1199 seconds (20 mins) and that is what I also can see in the real world.
If a firewall rule for a client is set to its FQDN, it takes up to 20 mins until the firewall rule allows access, when the client changes from LAN to Wifi (because these are different ip-addresses).
Because after the 1199 seconds refresh, it shows the new ip address of the client.
I am not sure what is the value in the GUI good for, when in reality it uses refresh every 1199 seconds?
admin@paloaltofw(active)> show dns-proxy cache all | match pcno
pcno99.mydomain.com 10.10.10.24 A IN 1107 2
pcno25.mydomain.com 10.10.10.14 A IN 1106 2
pcno51.mydomain.com 10.10.10.13 A IN 1082 2
admin@paloaltofw(active)>
Sorry, my fault:
I found this for PanOS 9
FQDN Refresh Enhancement (paloaltonetworks.com)
A DNS record of an FDQN includes a time-to-live (TTL) value and, by default, the firewall now refreshes each FQDN in its cache based on that individual TTL provided by the DNS server—as long as the TTL is greater than or equal to the minimum FQDN refresh setting you configure on the firewall (or greater than or equal to the default setting of 30 seconds if you don’t configure a minimum FQDN refresh setting). Refreshing an FQDN based on its TTL value results in more accurate FQDN resolutions. This is especially helpful for securing access to cloud platform services, which often require frequent FQDN refreshes to ensure that their services are available. For example, cloud environments that support autoscaling depend on FQDN resolutions for dynamically scaling services up and down; fast resolutions of FQDNs are critical in such time-sensitive environments.
