- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-26-2021 04:20 AM
Dear Team,
The challenge was that we need to do commit with wildcard in dns suffix ie. *.xyz.com but it failed ( PAN OS 9.1.7).
For workaround we have removed wildcard.
You seen in other firewall with panos 9.1.5 its having dns suffix with wildcard. For resolving dns suffix issue with wildcard,
After upgrading to panos from 9.1.5 to 9.1.7 why wildcard not taking in dns suffix.
Regards
Karthikeyan Balamurugan
03-26-2021 05:13 AM
In GUI and system log is it written why the commit fails? In the CLI also check the managment plane ms.log and devsrv.log.
03-26-2021 05:29 AM
We have added *(Star Symbol) i.e *.abc.com
in 9.1.5 its working ie *.abc.com
But in 9.1.7 *.abc.com is not working so we have changed to abc.com and we commit the changes then its works
03-26-2021 05:29 AM
After removing * symbol its works
03-26-2021 06:03 AM
are you adding this to a GP gateway\agent\network services.
could you post the cli command that you are using for this. or is it done via GUI.
03-26-2021 06:22 AM
yup, the configuration done by GUI only
03-26-2021 06:23 AM
OK but where in the GUI
03-26-2021 06:48 AM
OK thanks for the information.
I cant work out why you would ever need a wildcard in a dns search suffix.
how does that even work?????
if you add suffix "abc.com" and ping "fred" then your dns server will try to resolve "fred.abc.com".
if you add suffix "*.abc.com" and ping "fred" are you expecting the dns to resolve to "fred.(any name).abc.com"
i don't think this has ever worked as expected and perhaps earlier versions just ignored the error and the later versions now error check this field.
03-26-2021 06:54 AM
I can't even add that to my gateway config without an error...
03-26-2021 06:58 AM - edited 03-26-2021 07:03 AM
In the Palo Alto documentation it should work as they give examples with *.target.com or * .gmail.com. Try adding only the DNS suffix *.ibm.com without any others as test and then contact the Palo Alto TAC as it seems as a bug. I have seen an issue bug where this wildcard suffix needs to be the last domain in the list, this is why I suggest testing this before the tac case.
Also this optimized split tunneling was added inm 8.1 version and again they give examples with *.<domain-name>
Also double check your globalprotect license just in case as this option is inluded with it not with the normal license. I don't think this is the issue but just in case.
03-26-2021 07:03 AM
Hi @nikoolayy1
I think you are referring to split tunnel domains.
I think the setting that is having issues is the DNS search suffix here... Network Services
03-26-2021 07:50 AM
Yes we hav facing the issue here on network services
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!