02-23-2014 10:34 PM
Hi,
We have a cluster PA (active/passive), and checking the logs we realised that PA passive is sending DNS connections to its DNS configure like secondary. Shouldnt do this connection only the active PA???? why the passive is doing this request DNS being the passive firewall???
Thanks,
Best regards
Jesus C.
03-18-2014 07:30 AM
Hello COS,
If we look at the packet capture for the DNS request we can know to what domain the request is happening. If the domain is fake / repetitive / in excess then it can be termed an attack or so. If the domains are genuine and if they are related to paloalto then it is normal.
( Apps and Threat updates, software updates, url database updates and so on )
We will have to find what kind of request is going for the dns server based on that we can configure the firewall management interface to either fetch that data or deny. For instance if Dynamic updates are not needed then we can set the schedule to none so that it does not fetch the content updates.
We see that all the request to the DNS server is from the management interface. If this is not needed then through the service routes you can customize it to go through any other data ports or probably block traffic on path or remove routes to the dns and so on.
Hope this helps.
02-23-2014 11:03 PM
Hello Jesus,
I hope your Passive firewall's management interface connected with your network. For example: if you try to download the dynamic updates on your passive firewall, it will send a DNS request for updates.paloaltonetwork.com to resolve it.
Could you please verify what request the Passive node is sending to your DNS server...?
Thanks
02-23-2014 11:40 PM
This is our config in the palo alto.
So i can see in the logs in FW1 (active), that there is a connection from management interface FW2 (10.84.96.116) to destination its DNS secondary 194.179.1.121........why does FW2 do this connection??
I attach the logs in FW1
A tool in the DNS server is detecting these request like a attack....
…
03-18-2014 06:44 AM
Can you also see the content of the DNS requests? It is possible that these are requests to resolve updates.paloaltonetworks.com, and that it keeps on trying to resolve this if it is not getting a response.
The secondary firewall will also try to do updates, if it is configured to do this (Device - Dynamic updates)
03-18-2014 07:30 AM
Hello COS,
If we look at the packet capture for the DNS request we can know to what domain the request is happening. If the domain is fake / repetitive / in excess then it can be termed an attack or so. If the domains are genuine and if they are related to paloalto then it is normal.
( Apps and Threat updates, software updates, url database updates and so on )
We will have to find what kind of request is going for the dns server based on that we can configure the firewall management interface to either fetch that data or deny. For instance if Dynamic updates are not needed then we can set the schedule to none so that it does not fetch the content updates.
We see that all the request to the DNS server is from the management interface. If this is not needed then through the service routes you can customize it to go through any other data ports or probably block traffic on path or remove routes to the dns and so on.
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
