Passive firewall DNS request

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Passive firewall DNS request

L4 Transporter

Hi,

We have a cluster PA (active/passive), and checking the logs we realised that PA passive is sending DNS connections to its DNS configure like secondary. Shouldnt do this connection only the active PA???? why the passive is doing this request DNS being the passive firewall???

Thanks,

Best regards

Jesus C.

1 accepted solution

Accepted Solutions

Hello COS,

If we look at the packet capture for the DNS request we can know to what domain the request is happening. If the domain is fake / repetitive / in excess then it can be termed an attack or so. If the domains are genuine and if they are related to paloalto then it is normal.

( Apps and Threat updates, software updates, url database updates and so on )

We will have to find what kind of request is going for the dns server based on that we can configure the firewall management interface to either fetch that data or deny. For instance if Dynamic updates are not needed then we can set the schedule to none so that it does not fetch the content updates.

We see that all the request to the DNS server is from the management interface. If this is not needed then through the service routes you can customize it to go through any other data ports or probably block traffic on path or remove routes to the dns and so on.

Hope this helps.

View solution in original post

4 REPLIES 4

L7 Applicator

Hello Jesus,

I hope your Passive firewall's management interface connected with your network. For example: if you try to download the dynamic updates on your passive firewall, it will send a DNS request for updates.paloaltonetwork.com to resolve it.

Could you please verify what request the Passive node is sending to your DNS server...?

Thanks

This is our config in the palo alto.

  •          DNS services
    • PA-2050-10.84.96.115 PA-01(active) 
      • Primary DNS Server 146.219.39.201
      • Secondary DNS Server 146.219.39.202

  • PA-2050-10.84.96.116 PA-02(passive)
    • Primary DNS Server 192.168.1.1
    • Secondary DNS Server 194.179.1.121



So i can see in the logs in FW1 (active), that there is a connection from management interface FW2 (10.84.96.116) to destination its DNS secondary 194.179.1.121........why does FW2 do this connection??


I attach the logs in FW1


log FW1.jpg

A tool in the DNS server is detecting these request like a attack....

Can you also see the content of the DNS requests? It is possible that these are requests to resolve updates.paloaltonetworks.com, and that it keeps on trying to resolve this if it is not getting a response.

The secondary firewall will also try to do updates, if it is configured to do this (Device - Dynamic updates)

Hello COS,

If we look at the packet capture for the DNS request we can know to what domain the request is happening. If the domain is fake / repetitive / in excess then it can be termed an attack or so. If the domains are genuine and if they are related to paloalto then it is normal.

( Apps and Threat updates, software updates, url database updates and so on )

We will have to find what kind of request is going for the dns server based on that we can configure the firewall management interface to either fetch that data or deny. For instance if Dynamic updates are not needed then we can set the schedule to none so that it does not fetch the content updates.

We see that all the request to the DNS server is from the management interface. If this is not needed then through the service routes you can customize it to go through any other data ports or probably block traffic on path or remove routes to the dns and so on.

Hope this helps.

  • 1 accepted solution
  • 4130 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!