No Valid DNS Security License - Resolved

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

No Valid DNS Security License - Resolved

L1 Bithead

We did a trial of DNS Security, after its expiration pushes from Panorama failed with warning "No Valid DNS Security License" Did a fair bit of searching, only real suggestion was here, that said to set all DNS Policies to Allow, that did not resolve the warning. Tried setting DNS Signatures to Default, still same commit warning.

 

Poking around CLI, I was able to delete all the botnet-domains in our Spyware profile, commit and push with ZERO warnings; this successfully removed the DNS Security warnings. Hallelujah!

 

I've not been able to find this anywhere, and so far Support doesn't seem to know about it either; their suggestion was what I found (set all to allow) that does not work.

 

Before:

admin@Panorama# show shared profiles spyware "Default Anti-Spyware"
set shared profiles spyware "Default Anti-Spyware" rules simple-critical action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-critical severity critical
set shared profiles spyware "Default Anti-Spyware" rules simple-critical threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical category any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-high action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-high severity high
set shared profiles spyware "Default Anti-Spyware" rules simple-high threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-high category any
set shared profiles spyware "Default Anti-Spyware" rules simple-high packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-medium action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-medium severity medium
set shared profiles spyware "Default Anti-Spyware" rules simple-medium threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium category any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium packet-capture disable
set shared profiles spyware "Default Anti-Spyware" rules simple-low action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-low severity low
set shared profiles spyware "Default Anti-Spyware" rules simple-low threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-low category any
set shared profiles spyware "Default Anti-Spyware" rules simple-low packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains lists default-paloalto-dns action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains lists default-paloalto-dns packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains sinkhole ipv4-address 127.0.0.1
set shared profiles spyware "Default Anti-Spyware" botnet-domains sinkhole ipv6-address ::1
set shared profiles spyware "Default Anti-Spyware" botnet-domains threat-exception
set shared profiles spyware "Default Anti-Spyware" threat-exception 14978 action default

 

After:

admin@Panorama# delete shared profiles spyware "Default Anti-Spyware" botnet-domains

admin@Panorama# show shared profiles spyware "Default Anti-Spyware"
set shared profiles spyware "Default Anti-Spyware" rules simple-critical action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-critical severity critical
set shared profiles spyware "Default Anti-Spyware" rules simple-critical threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical category any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-high action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-high severity high
set shared profiles spyware "Default Anti-Spyware" rules simple-high threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-high category any
set shared profiles spyware "Default Anti-Spyware" rules simple-high packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-medium action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-medium severity medium
set shared profiles spyware "Default Anti-Spyware" rules simple-medium threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium category any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium packet-capture disable
set shared profiles spyware "Default Anti-Spyware" rules simple-low action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-low severity low
set shared profiles spyware "Default Anti-Spyware" rules simple-low threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-low category any
set shared profiles spyware "Default Anti-Spyware" rules simple-low packet-capture disable
set shared profiles spyware "Default Anti-Spyware" threat-exception 14978 action default

1 accepted solution

Accepted Solutions

L1 Bithead

I found the solution to the "No Valid DNS Security License" error caused by the Anti-Spyware profile. In addition to changing the POLICY ACTION to allow and PACKET CAPTURE to disable, you need to change the LOG SEVERITY to none. I hope this helps someone. (This worked successfully on PAN-OS 10.2.2 & 10.2.3-h2)

Palo-Alto-Anti-Spyware-Fix-DNS-Error.png

View solution in original post

5 REPLIES 5

Hey @SteveBrown99 

 

Interesting finding.
Allow with packet capture disable is the default configuration. Similar to any other part of PAN XML config file, if anything is not explicetly mentioned in the config, firewall will apply the default.

 

However if you set this configuration to something else or just explicetly set it to allow, this will still be part of the configuration file.

 

It looks like the DNS license check is probably only checking if botnet-domains is refered by the configuration and not what action is applied.

L1 Bithead

I found the solution to the "No Valid DNS Security License" error caused by the Anti-Spyware profile. In addition to changing the POLICY ACTION to allow and PACKET CAPTURE to disable, you need to change the LOG SEVERITY to none. I hope this helps someone. (This worked successfully on PAN-OS 10.2.2 & 10.2.3-h2)

Palo-Alto-Anti-Spyware-Fix-DNS-Error.png

Great, that works, thank you!

Thank you, it works.

I don't feel the above solution is the complete solution. In actuality you could leave all that as is, and it doesn't matter if you created a new Anti-spyware profile or not. You can't delete the default or strict profiles or change them. So what matters is the settings located under Policies. These policies decide whether the Objects within the Security Profiles for Anti-Spyware are used.

With that said;

If you go into Policies > Security

And you check your settings there to make sure that you don't see the shield within any of your security policies under profile. If you see the shield then you are using one of the objects Anti-spyware policies.

If you click on the Security Policy Rule > Actions > Profile Setting > Profile Type. Set this to none and the shield will be replaced with none. Commit your changes and the "No DNS Security License." will no longer plague you while committing.



  • 1 accepted solution
  • 7344 Views
  • 5 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!