05-24-2023 02:55 AM
After upgrading from PANOS 10.1.8-h2 to 10.1.10 we start getting the following commit error.
profiles -> spyware -> sink-alert -> botnet-domains -> dns-security-categories is invalid. Missing pre-defined DNS security category
Any idea to correct this error?
05-24-2023 03:18 AM
Hi @Lance ,
There's a bug in 10.1.10 for this error.
I'd recommend reaching out to support to confirm if you're hitting the exact bug and get updates on its fix release or go to PAN-OS 10.1.9-h3 which is the preferred release at the moment of this writing:
Kind regards,
-Kim.
06-05-2023 10:22 AM
we had a similar issue and we went into the anti-spyware profile to the dns exceptions tab, checked the check boxes at the bottom for the dns signature excpetions, clicked ok and commit and push.
07-12-2023 06:42 PM
cordial Greetings
Team
The error you mention, in my case, was solved by updating the content, specifically the apps and Threats update.
08-07-2023 10:11 AM
There is a bug, with a work-around. Check out this --> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kIDfCAM
10-18-2023 01:54 AM
Dear Kiwi,
I tried the workaround and all other mentioned solutions here by changing parameters back and forth, but unfortunately i cant solve this warning.
-) changing the action like mentioned in Commit warning "dns-security-categories is invalid. Missing pre-defined DNS security category" (palo...did not help.
-) changing the sinkhole address
-) enabling /disabling a dns exception
-) adding / removing a FQDN exception
This customer is currently on 10.1.10, due to other limitations we are waiting for 10.2.6-hx / 10.2.7 before upgrading but i cannot find any known or addressed issue in 10.1.10 / 10.1.10-h1 / 10.1.10-h2 or 10.1.11 - like you mentioned its a known bug in 10.1.10, do you have the bug id?
Thanks,
10-19-2023 08:33 AM
You need the latest content updates for threats and applications and need to click through the tabs of each custom spyware profile and click on OK afterwards (not cancel), you dont even need to change anything. after that you commit and it should work fine.
10-23-2023 03:28 AM
I found the cause for the Error now: Its a Panorama environment and the Firewalls are renewing the content updates every day via shedule, but in the Panorama itself the content update was not up-to-date. I updated it on panorama and went trough all Tabs in alle AS-Profiles and commited and pushed to the Devices and now its gone.
So it was missing the content update in Panorama not on the Firewalls.
Thank you!
11-21-2023 12:58 PM
Adrian,
Thank you for your update. You saved me a PA TAC call 🙂
Clicking every tab and using OK vs Cancel, then commit is a requirement for this to work.
11-24-2023 04:14 AM
Nice Tim! Great to know that my findings could help someone.
03-18-2024 11:50 AM
Thank you. Going through the listed Anti-Spyware profile tabs and clicking "OK" did it for me.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
