Can't create DNS Proxy using Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can't create DNS Proxy using Panorama

L3 Networker

ISSUE

When try to configure DNS Proxy with panorama after commit we get next message error:

dns-proxy -> xxxxx-> server-profile 'yyyyy' is not a valid reference
dns-proxy -> LAN_speedup -> server-profile is invalid

 

xxxxx ->dns proxy configured

yyyyy ->server dns profile created

 

RESOLUTION

The DNS server profile was added as a feature primarily for the config of DNS proxy under Virtual Systems configuration. Hence this is virtual system specific setting which is what we currently have designed it for.

the recommendation is to choose the location as Shared for now to ensure commits work properly.

 

If your device don't  support Multi Vsys,  you try next workaround:

- Disable multi vsys in panorama
- Now, create a DNS proxy object or a different template with DNS proxy object so that it could be used for those firewalls which does not have multi vsys or not enabled it
- Now, turn on the multi vsys feature on Panorama
-  (if you have other fw which support multi vsys) Create new DNS proxy object or new template with DNS proxy object so that it can be used to push to the firewalls having multi vsys environment.

6 REPLIES 6

L1 Bithead

I've had this same issue, still on 9.0.9 code. Is this fixed in a later version?

L2 Linker

I am running 10.1.4 and you still need to disable the MultiVsys option for this within Panorama.

L2 Linker

Still in here in 10.2.3., with MultyVsys enabled.

L1 Bithead

If you create your proxy as shared, then we are unable to use variables for the DNS Servers, which then requires a static config.  Anyway around this?

Yes, I agree we then can't use variables which is very cumbersome as then we need to create a Proxy_DNS template per FW with the correct values...

L2 Linker

I lucked out on this one as all of my devices that are using DNS Proxy only have a single VSYS. That has allowed me to create a Template that has DNS proxy within it. I did have to create an individual template for each region, this means I only have 5 or so templates to update instead of hundreds. Best thing you can do is try to limit the pain by either creating a specific template just for DNS proxy for all of your devices and just overriding the parts that need it in the xstack.

  • 5520 Views
  • 6 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!