Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-19-2022 04:29 PM
We did a trial of DNS Security, after its expiration pushes from Panorama failed with warning "No Valid DNS Security License" Did a fair bit of searching, only real suggestion was here, that said to set all DNS Policies to Allow, that did not resolve the warning. Tried setting DNS Signatures to Default, still same commit warning.
Poking around CLI, I was able to delete all the botnet-domains in our Spyware profile, commit and push with ZERO warnings; this successfully removed the DNS Security warnings. Hallelujah!
I've not been able to find this anywhere, and so far Support doesn't seem to know about it either; their suggestion was what I found (set all to allow) that does not work.
Before:
admin@Panorama# show shared profiles spyware "Default Anti-Spyware"
set shared profiles spyware "Default Anti-Spyware" rules simple-critical action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-critical severity critical
set shared profiles spyware "Default Anti-Spyware" rules simple-critical threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical category any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-high action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-high severity high
set shared profiles spyware "Default Anti-Spyware" rules simple-high threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-high category any
set shared profiles spyware "Default Anti-Spyware" rules simple-high packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-medium action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-medium severity medium
set shared profiles spyware "Default Anti-Spyware" rules simple-medium threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium category any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium packet-capture disable
set shared profiles spyware "Default Anti-Spyware" rules simple-low action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-low severity low
set shared profiles spyware "Default Anti-Spyware" rules simple-low threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-low category any
set shared profiles spyware "Default Anti-Spyware" rules simple-low packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains lists default-paloalto-dns action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains lists default-paloalto-dns packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains sinkhole ipv4-address 127.0.0.1
set shared profiles spyware "Default Anti-Spyware" botnet-domains sinkhole ipv6-address ::1
set shared profiles spyware "Default Anti-Spyware" botnet-domains threat-exception
set shared profiles spyware "Default Anti-Spyware" threat-exception 14978 action default
After:
admin@Panorama# delete shared profiles spyware "Default Anti-Spyware" botnet-domains
admin@Panorama# show shared profiles spyware "Default Anti-Spyware"
set shared profiles spyware "Default Anti-Spyware" rules simple-critical action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-critical severity critical
set shared profiles spyware "Default Anti-Spyware" rules simple-critical threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical category any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-high action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-high severity high
set shared profiles spyware "Default Anti-Spyware" rules simple-high threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-high category any
set shared profiles spyware "Default Anti-Spyware" rules simple-high packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-medium action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-medium severity medium
set shared profiles spyware "Default Anti-Spyware" rules simple-medium threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium category any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium packet-capture disable
set shared profiles spyware "Default Anti-Spyware" rules simple-low action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-low severity low
set shared profiles spyware "Default Anti-Spyware" rules simple-low threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-low category any
set shared profiles spyware "Default Anti-Spyware" rules simple-low packet-capture disable
set shared profiles spyware "Default Anti-Spyware" threat-exception 14978 action default
02-17-2023 02:00 PM
I found the solution to the "No Valid DNS Security License" error caused by the Anti-Spyware profile. In addition to changing the POLICY ACTION to allow and PACKET CAPTURE to disable, you need to change the LOG SEVERITY to none. I hope this helps someone. (This worked successfully on PAN-OS 10.2.2 & 10.2.3-h2)
08-22-2022 04:45 AM
Hey @SteveBrown99
Interesting finding.
Allow with packet capture disable is the default configuration. Similar to any other part of PAN XML config file, if anything is not explicetly mentioned in the config, firewall will apply the default.
However if you set this configuration to something else or just explicetly set it to allow, this will still be part of the configuration file.
It looks like the DNS license check is probably only checking if botnet-domains is refered by the configuration and not what action is applied.
02-17-2023 02:00 PM
I found the solution to the "No Valid DNS Security License" error caused by the Anti-Spyware profile. In addition to changing the POLICY ACTION to allow and PACKET CAPTURE to disable, you need to change the LOG SEVERITY to none. I hope this helps someone. (This worked successfully on PAN-OS 10.2.2 & 10.2.3-h2)
02-24-2023 07:00 AM
Great, that works, thank you!
08-23-2023 09:54 AM
I don't feel the above solution is the complete solution. In actuality you could leave all that as is, and it doesn't matter if you created a new Anti-spyware profile or not. You can't delete the default or strict profiles or change them. So what matters is the settings located under Policies. These policies decide whether the Objects within the Security Profiles for Anti-Spyware are used.
With that said;
If you go into Policies > Security
And you check your settings there to make sure that you don't see the shield within any of your security policies under profile. If you see the shield then you are using one of the objects Anti-spyware policies.
If you click on the Security Policy Rule > Actions > Profile Setting > Profile Type. Set this to none and the shield will be replaced with none. Commit your changes and the "No DNS Security License." will no longer plague you while committing.
04-07-2024 08:43 PM
Hi Jeff may i know which shield you are exactly talking about? is it possible to share a screen shot tobe clear about what shield you are referring to ?
04-11-2024 12:28 AM
Hi @mohammad_saqib+ ,
He means the Security Profile icon, which is displayed as a protective shield icon in the Security Policy:
Kind regards,
-Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
