This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

DNS Security

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS Security

Go to solution
Logesh
L1 Bithead

‎05-28-2020 06:19 AM

Hi, 

 

We are getting warning message (Warning: No valid DNS Security License) when we commit every time. currently we are using PAN OS 9.0.5. Is it possible to disable this warning message.

 

Regards,

Logesh S.

6 people had this problem.
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎05-28-2020 06:49 AM

this means you enabled or changed the action on the 'palo alto networks dns security' option in DNS signatures of one or more of your spyware profiles

 

you should set it to 'allow' with no packetcapture if you do not have a license

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

1 person found this solution to be helpful.
(1)
24 REPLIES 24

Go to solution
kiwi
Community Team Member

‎05-28-2020 06:37 AM

Hi @Logesh ,

 

At this time there's no way to suppress warning messages during commit.

 

Fix the warning 🙂

Or reach out to your local SE and have him add your vote to the existing feature request there is for this (FR ID: 2689 - Suppress Warnings in Commit)

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Go to solution
Logesh
L1 Bithead
In response to kiwi

‎05-28-2020 06:42 AM

Thanks @kiwi, i will check the same.

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite

‎05-28-2020 06:49 AM

this means you enabled or changed the action on the 'palo alto networks dns security' option in DNS signatures of one or more of your spyware profiles

 

you should set it to 'allow' with no packetcapture if you do not have a license

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
1 person found this solution to be helpful.
(1)

Go to solution
TomYoung
Cyber Elite
Cyber Elite
In response to reaper

‎09-04-2020 07:10 AM

You are THE MAN!  This answer should be marked as the solution.  I love clearing all commit errors.  It should be emphasized more in best practices.

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
mlinsemier
L4 Transporter
In response to reaper

‎02-17-2021 12:40 PM - edited ‎02-17-2021 12:50 PM

Just a quick update on this older topic that under PANOS 10.0.x, the DNS Sec license is now integrated in the policy and you can no longer make this change.  Additionally, you cannot change the built-in default policy either.  The kicker is that my Palo Alto account manager offered to sell me DNS Security licenses to get rid of the error and the TAC Engineer told me that its "cosmetic and just a warning" and to file a feature request through my account manager.  

 

mlinsemier_0-1613595029976.png

 

I love when my security team sends me messages every day asking why where are warnings in Panorama about security policies being committed with warnings.  Hopefully as more of us move towards 10.0.x Palo Alto will do something about this.  It frustrating as this option shouldn't be configurable if we don't have a license.

 

-Matt

(2)

Go to solution
crodrigueze
L0 Member
In response to mlinsemier

‎03-25-2021 04:24 PM

Hi Matt, I have the same in PANOS 10 I deleted that warning deleting all botnet-domains, it works if you don't want use the sinkhole feature.

0 Likes Likes

Go to solution
fpadmin
L0 Member
In response to crodrigueze

‎04-22-2021 01:04 PM

So we need to have a license now to utilize SinkHole? 

0 Likes Likes

Go to solution
mlinsemier
L4 Transporter
In response to crodrigueze

‎05-10-2021 02:22 PM

Can you clarify a bit on what you deleted and where so I can review?  I'm not sure where you are seeing botnet-domains.

Go to solution
ksauer507
L3 Networker
In response to crodrigueze

‎06-17-2021 12:11 PM

How do you get rid of this warning on PANOS 10.0.6?  Where do you delete all botnet-domains ?  I guess I can just import them via minemeld anyway?

Go to solution
jesseivens
L2 Linker
In response to ksauer507

‎07-13-2021 12:29 PM

I ran into this issue when I upgraded some VM-500s to 10.0.6.  I was able to clone the default spyware profile, which I named "default-no-dns-sec"  Then I went into CLI and issued the following commands to delete DNS specific items.

delete shared profiles spyware default-no-dns-sec botnet-domains lists default-paloalto-dns
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-cc
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-ddns
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-grayware
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-malware
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-parked
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-phishing
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-proxy
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-recent

 

On this firewall I have not "production" traffic yet, so I was able to disable all policies.  I enabled 1 with this new profile and pushed from Panorama.  No issues with the commit and no more warning.  All policies and/or Security Profile Groups will need to be updated to completely solve this.

I do have a TAC case open, so I am waiting for confirmation from TAC on this.

Go to solution
mlinsemier
L4 Transporter
In response to jesseivens

‎07-14-2021 08:47 AM

Thanks for the update on this and I'm interested to hear what TAC replies with now.  It's kind of ridiculous that this is something that has to be done manually.

0 Likes Likes

Go to solution
jesseivens
L2 Linker
In response to mlinsemier

‎07-14-2021 08:54 AM

So far not much.  I am upgrading my PA3260s tonight from 9.1.9 to 10.0.6.  This is the same think I did on the VM500s.  I have also upgrade a VM100 and PA220, neither of which I had this problem.  Only issue was on the VM500s.  I ask TAC why this was and this is all I got back.  

It is a buggy behavior, I've been checking similar cases with the same issue, different platforms. Also on versions 10.0.5 and 10.0.6.
We don't have a root cause of the issue yet, but I'm glad the workaround worked for you.

 

I did do the workaround in Panorama on a shared profile, so it was only a 1 time change, since it is shared and I was able to push to all my different device groups at once.  I also took the opportunity change all policies to Security Profile Groups.  So if I need to change again, it is only a group change which affects all the policies that it is applied to.  Hoping that doesn't bite me down the road 🙂

0 Likes Likes

Go to solution
jesseivens
L2 Linker

‎07-19-2021 07:18 AM

Per my TAC case, Engineering had found that the issue is traced to a known issue PAN-164941 currently. The commits will retain the warnings but the commits will still go through and the issue will be resolved in Fixed Versions: 9.1.11, 10.0.8.  

 

My work around posted removed the warnings and no further issues on any of my models. 

0 Likes Likes

Go to solution
RPBagiyev
L1 Bithead
In response to reaper

‎08-18-2021 01:03 AM

Hi Reaper,

 

When I commit changes in Palo Alto (Software Version 10.0.6) I got a lot of warnings (No Valid DNS Security License).

In Objects > Security Profiles > Anti-Spyware there are 2 predefined profiles: default and strict.

I cloned strict profile. Changed Action to allow under Signature Policies, changed Policy Action to allow under DNS Policies, changed Sinkhole IPv4 to IPv4 Loopback IP (127.0.0.1). I did these things at different times. But it didn't help. I still got these warnings and its annoying. Could you show me exact place what to do?

P.S. I don't have a DNS Security license.

0 Likes Likes
  • 1 accepted solution
  • 24614 Views
  • 24 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks