I have PAN running version 8.1.17 and it is configured with two DNS servers on the management interface, you know the usual, nothing special. I have security and NAT rule on the PAN firewall the uses FQDN.
Is there a way to detect when the PAN fails to query the DNS server? Is there anything in the system log that will tell me the PAN can NOT resolve DNS queries because DNS servers are not available?
DNS is used by the Management plane and you will not see the logs in the system logs.
If you have two DNS servers configured for MP then if first one does not work it will try second.
To see the logs of the DNS server you this command
dmin@BMS> tcpdump filter "port 53"
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C6 packets captured
6 packets received by filter
0 packets dropped by kernel
admin@BMS> view-pcap mgmt-pcap mgmt.pcap
16:27:32.181752 IP 192.168.1.10.51698 > 10.25.51.60.domain: 39467+ A? pool.ntp.org. (30)
16:27:32.181783 IP 192.168.1.10.51698 > 10.25.51.60.domain: 48046+ AAAA? pool.ntp.org. (30)
16:27:32.421488 IP 10.25.51.60.domain > 192.168.1.10.51698: 48046 0/1/0 (85)
16:27:32.421675 IP 10.25.51.60.domain > 192.168.1.10.51698: 39467 4/0/0 A 220.127.116.11, A 18.104.22.168, A 22.214.171.124, A 126.96.36.199 (94)
16:27:35.212415 IP 192.168.1.10.37727 > 10.25.51.60.domain: 1564+ [1au] AAAA? home-fw.ecobee.com. (47)
16:27:35.214506 IP 10.25.51.60.domain > 192.168.1.10.37727: 1564 1/1/1 CNAME home-fw.hm-prod.ecobee.com. (167)
Where 192.168.1.10 is Management IP of the PA
10.25.51.50 is my Internal DNS server.
I know how DNS works and I also know how tcpdump work but that is not my question.
If the PAN can NOT communicate with DNS over the MP for FQDN resolution, will there any messages in the system log file that will tell me? Apparently, I see messages in the system file for LDAP, but not DNS. Why?
@dtran Seems this is by PA design
If you wanna see failure logs for DNS server in system logs you can check with your SE and ask for feature request.
If you wanna see additional info you can check the
ms.logs which is part of the management server logs, show it failed to check, but it does not give me any information about DNS failure
"error code-1" may indicate connection failure
020-12-12 14:36:15.666 -0800 Error: pan_mgmtop_support_check_handler(pan_ops_common.c:10318): Error removing file:/opt/pancfg/mgmt/global/supportinfo.xml.10277
2020-12-12 14:36:15.666 -0800 updater error code:-1
2020-12-12 14:37:31.116 -0800 ### MS-DB: RuleHit update: /opt/pancfg/mgmt/devices/localhost.localdomain/rule-hit-count-db.txt
2020-12-12 14:38:07.573 -0800 updater error code:-1
Hope this helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!