This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Issue With DNS Suffix

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Issue With DNS Suffix

karthikeyanB
L3 Networker

‎03-26-2021 04:20 AM

Dear Team,

 

The challenge was that we need to do commit with wildcard in dns suffix ie. *.xyz.com but it failed ( PAN OS 9.1.7).

For workaround we have removed wildcard.

 

You seen in other firewall with panos 9.1.5 its having dns suffix with wildcard. For resolving dns suffix issue with wildcard, 

 

After upgrading to panos from 9.1.5 to 9.1.7 why wildcard not taking in dns suffix.

 

Regards

Karthikeyan Balamurugan

0 Likes Likes
17 REPLIES 17

nikoolayy1
L6 Presenter

‎03-26-2021 05:13 AM

In GUI and system log is it written why the commit fails? In the CLI also check the managment plane ms.log and devsrv.log.

0 Likes Likes

Mick_Ball
L7 Applicator

‎03-26-2021 05:24 AM

where exactly are you adding the wildcard suffix?

0 Likes Likes

karthikeyanB
L3 Networker

‎03-26-2021 05:29 AM

We have added *(Star Symbol) i.e *.abc.com

 

in 9.1.5 its working ie *.abc.com

 

But in 9.1.7 *.abc.com is not working so we have changed to abc.com and we commit the changes then its works 

0 Likes Likes

karthikeyanB
L3 Networker
In response to nikoolayy1

‎03-26-2021 05:29 AM

After removing * symbol its works

0 Likes Likes

karthikeyanB
L3 Networker
In response to karthikeyanB

‎03-26-2021 05:38 AM

This is  we actually configured 

 

Exclude Access Routes      :     
	DNS Servers                :      172.25.225.15
	DNS Suffix                 :     *.ibm.com abc.com xyz.com 123.com 
	config name                :  GW_Twitter_WFH
	User Groups                :     cn=palo_ssl_vpn_twitter,ou=groups,ou=special,ou=gps_bangalore_mtp,

 

0 Likes Likes

Mick_Ball
L7 Applicator
In response to karthikeyanB

‎03-26-2021 06:03 AM

are you adding this to a GP gateway\agent\network services.

 

could you post the cli command that you are using for this. or is it done via GUI.

0 Likes Likes

karthikeyanB
L3 Networker
In response to Mick_Ball

‎03-26-2021 06:22 AM

yup, the configuration done by GUI only

0 Likes Likes

Mick_Ball
L7 Applicator
In response to karthikeyanB

‎03-26-2021 06:23 AM

OK but where in the GUI

0 Likes Likes

karthikeyanB
L3 Networker
In response to Mick_Ball

‎03-26-2021 06:39 AM

suffix issue.pngIBM Wildcard Issue.JPG

Mick_Ball
L7 Applicator
In response to karthikeyanB

‎03-26-2021 06:48 AM

OK thanks for the information.

I cant work out why you would ever need a wildcard in a dns search suffix.

how does that even work?????

 

if you add suffix "abc.com" and ping "fred" then your dns server will try to resolve "fred.abc.com".

if you add suffix  "*.abc.com" and ping "fred" are you expecting the dns to resolve to "fred.(any name).abc.com" 

 

i don't think this has ever worked as expected and perhaps earlier versions just ignored the error and the later versions now error check this field.

0 Likes Likes

Mick_Ball
L7 Applicator
In response to karthikeyanB

‎03-26-2021 06:54 AM

I can't even add that to my gateway config without an error...

 

MickBall_0-1616766852437.jpeg

 

nikoolayy1
L6 Presenter

‎03-26-2021 06:58 AM - edited ‎03-26-2021 07:03 AM

In the Palo Alto documentation it should work as they give examples with *.target.com or * .gmail.com. Try adding only the DNS suffix *.ibm.com without any others as test and then contact the Palo Alto TAC as it seems as a bug. I have seen an issue bug where this wildcard suffix needs to be the last domain in the list, this is why I suggest testing this before the tac case.

 

 

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split...

 

 

 

Also this optimized split tunneling was added inm 8.1 version and again they give examples with *.<domain-name>

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel...

 

 

Also double check your globalprotect license just in case as this option is inluded with it not with the normal license. I don't think this is the issue but just in case.

Mick_Ball
L7 Applicator
In response to nikoolayy1

‎03-26-2021 07:03 AM

Hi @nikoolayy1 

I think you are referring to split tunnel domains.

 

I think the setting that is having issues is the DNS search suffix here... Network Services

MickBall_0-1616767394167.jpeg

 

0 Likes Likes

karthikeyanB
L3 Networker
In response to Mick_Ball

‎03-26-2021 07:50 AM

MickBall

 Yes we hav facing the issue here on network services

0 Likes Likes
  • 7535 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks