DNS Security

cancel
Showing results for 
Search instead for 
Did you mean: 

DNS Security

L1 Bithead

Hi, 

 

We are getting warning message (Warning: No valid DNS Security License) when we commit every time. currently we are using PAN OS 9.0.5. Is it possible to disable this warning message.

 

Regards,

Logesh S.

21 REPLIES 21

I ran into this issue when I upgraded some VM-500s to 10.0.6.  I was able to clone the default spyware profile, which I named "default-no-dns-sec"  Then I went into CLI and issued the following commands to delete DNS specific items.

delete shared profiles spyware default-no-dns-sec botnet-domains lists default-paloalto-dns
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-cc
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-ddns
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-grayware
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-malware
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-parked
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-phishing
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-proxy
delete shared profiles spyware default-no-dns-sec botnet-domains dns-security-categories pan-dns-sec-recent

 

On this firewall I have not "production" traffic yet, so I was able to disable all policies.  I enabled 1 with this new profile and pushed from Panorama.  No issues with the commit and no more warning.  All policies and/or Security Profile Groups will need to be updated to completely solve this.

I do have a TAC case open, so I am waiting for confirmation from TAC on this.

Thanks for the update on this and I'm interested to hear what TAC replies with now.  It's kind of ridiculous that this is something that has to be done manually.

So far not much.  I am upgrading my PA3260s tonight from 9.1.9 to 10.0.6.  This is the same think I did on the VM500s.  I have also upgrade a VM100 and PA220, neither of which I had this problem.  Only issue was on the VM500s.  I ask TAC why this was and this is all I got back.  

It is a buggy behavior, I've been checking similar cases with the same issue, different platforms. Also on versions 10.0.5 and 10.0.6.
We don't have a root cause of the issue yet, but I'm glad the workaround worked for you.

 

I did do the workaround in Panorama on a shared profile, so it was only a 1 time change, since it is shared and I was able to push to all my different device groups at once.  I also took the opportunity change all policies to Security Profile Groups.  So if I need to change again, it is only a group change which affects all the policies that it is applied to.  Hoping that doesn't bite me down the road 🙂

L2 Linker

Per my TAC case, Engineering had found that the issue is traced to a known issue PAN-164941 currently. The commits will retain the warnings but the commits will still go through and the issue will be resolved in Fixed Versions: 9.1.11, 10.0.8.  

 

My work around posted removed the warnings and no further issues on any of my models. 

Hi Reaper,

 

When I commit changes in Palo Alto (Software Version 10.0.6) I got a lot of warnings (No Valid DNS Security License).

In Objects > Security Profiles > Anti-Spyware there are 2 predefined profiles: default and strict.

I cloned strict profile. Changed Action to allow under Signature Policies, changed Policy Action to allow under DNS Policies, changed Sinkhole IPv4 to IPv4 Loopback IP (127.0.0.1). I did these things at different times. But it didn't help. I still got these warnings and its annoying. Could you show me exact place what to do?

P.S. I don't have a DNS Security license.

L2 Linker

RPBagiyev,

See my post from 7/13 above.  Those cli commands is what worked for me and TAC confirmed it is a good work around until they get a fix in.  

Hi Jesseivens,

 

In configure mode when I tab after delete shared there's no profiles command. Capture in attachment.Capture.JPG

L2 Linker

Ahh, that is because mine is a "shared" profile in Panorama.  In the firewall it should be like this.

delete profiles spyware "PROFILE-NAME" botnet-domains lists default-paloalto-dns
delete profiles spyware "PROFILE-NAME" botnet-domains dns-security-categories pan-dns-sec-cc
delete profiles spyware "PROFILE-NAME" botnet-domains dns-security-categories pan-dns-sec-ddns
delete profiles spyware "PROFILE-NAME" botnet-domains dns-security-categories pan-dns-sec-grayware
delete profiles spyware "PROFILE-NAME" botnet-domains dns-security-categories pan-dns-sec-malware
delete profiles spyware "PROFILE-NAME" botnet-domains dns-security-categories pan-dns-sec-parked
delete profiles spyware "PROFILE-NAME" botnet-domains dns-security-categories pan-dns-sec-phishing
delete profiles spyware "PROFILE-NAME" botnet-domains dns-security-categories pan-dns-sec-proxy
delete profiles spyware "PROFILE-NAME" botnet-domains dns-security-categories pan-dns-sec-recent

Dear Jesseivens,

 

After typing these commands warnings are reduced but some remained. Still I got these warnings.

Thank you for the help.

Does anything DNS relates still show under the profile?  If so, I would keep removing them.  

show profiles spyware "PROFILE-NAME"

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!