11-28-2018 06:55 AM
I have a problem with some sites that uses DNS round robin as loadballancer.
As an examble:
vs-ssh.visualstudio.com
This has the TTL set to 300 sec, the PA's FQDN refresh is default 30 min.
So the firewall won't cache all IP's used in the round robin, because when it does a refresh the old value has timed-out
So the rule where I use the FQDN object fails periodic.
Is there a way to ignore the TTL value, not generally, but for indivually entries in the FQGN cache?
Rgds Knud
11-28-2018 07:19 AM
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKbCAK
11-28-2018 11:20 PM
That was not exactly what I was asking for, I know you can change the refresh time, but that wont solve the problem.
I need to be able to configure an alternative TTL per FQDN so instead of having a 5 min TTL I could configure the PA to ignore the TTL in the DNS reply and configure the cache to 24 hours, but only for that entry.
11-29-2018 06:26 AM
Either DNS Proxy static entries or some external cron job to resolve names to IPs and then push results to Palo through API as often as needed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
