FQDN Refresh Time

cancel
Showing results for 
Search instead for 
Did you mean: 
L4 Transporter
Did you find this article helpful? Yes No
No ratings

FQDN Refresh Time

 

 

For additional resources regarding BPA, visit our LIVEcommunity BPA tool page.
View videos regarding BPA Network best practice checks.
View videos regarding BPA Policies best practice checks.
View videos regarding BPA Objects best practice checks.
View videos regarding BPA Device best practice checks.
You may also view other BPA video playlist on the LIVEcommunity YouTube channel.
Rate this article:
Comments
L2 Linker

On our Palo Altos (managed with Panorama) in the GUI the Minimum FQDN Refresh Time (sec) is set to 30 seconds.
And the FQDN Stale Entry Timeout (min) is set to 1440 mins.
But in the CLI FQDN refresh value countdown is starting at 1199 seconds (20 mins) and that is what I also can see in the real world.
If a firewall rule for a client is set to its FQDN, it takes up to 20 mins until the firewall rule allows access, when the client changes from LAN to Wifi (because these are different ip-addresses).
Because after the 1199 seconds refresh, it shows the new ip address of the client.
I am not sure what is the value in the GUI good for, when in reality it uses refresh every 1199 seconds?

admin@paloaltofw(active)> show dns-proxy cache all | match pcno
pcno99.mydomain.com 10.10.10.24 A IN 1107 2
pcno25.mydomain.com 10.10.10.14 A IN 1106 2
pcno51.mydomain.com 10.10.10.13 A IN 1082 2
admin@paloaltofw(active)>

L2 Linker

Sorry, my fault:
I found this for PanOS 9
FQDN Refresh Enhancement (paloaltonetworks.com)
A DNS record of an FDQN includes a time-to-live (TTL) value and, by default, the firewall now refreshes each FQDN in its cache based on that individual TTL provided by the DNS server—as long as the TTL is greater than or equal to the minimum FQDN refresh setting you configure on the firewall (or greater than or equal to the default setting of 30 seconds if you don’t configure a minimum FQDN refresh setting). Refreshing an FQDN based on its TTL value results in more accurate FQDN resolutions. This is especially helpful for securing access to cloud platform services, which often require frequent FQDN refreshes to ensure that their services are available. For example, cloud environments that support autoscaling depend on FQDN resolutions for dynamically scaling services up and down; fast resolutions of FQDNs are critical in such time-sensitive environments.

Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last update:
‎07-07-2020 10:10 AM
Updated by: