- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-29-2011 04:26 AM
Hi,
In the "PAN-OS Command Line Interface Reference Guide Release 4.0", we found the following options which specify the refresh times for "FQDN object entries".
+ fqdn-forcerefresh-time — Seconds for Periodic Timer to force refresh FQDN object entries (14400-86400)
+ fqdn-refresh-time — Seconds for Periodic Timer to refresh expired FQDN object entries (1800-14399)
Could you please explain the difference between these two options.
Thank you
05-03-2011 12:41 AM
Use 'request system fqdn show' to see FQDN to IP mapping, remaining TTL, and # secs since last refresh.
'fqdn-refresh-time' is the time period between checks for TTL expirations (default 1hr). When this timer occurs a refresh will be triggered for every object that has expired.
'fqdn-forcerefresh-time' causes a reload of any long living unrefreshed FQDN entires at least 1 time per day (default 24 hrs, range 4 - 24hrs).
You can refresh all entires with 'request system fqdn refresh', but there is no way to refresh only a single FQDN entry.
A commit will collect all new FQDN entries for IP lookup and purge any recently deleted entries, then the 'fqdn-refresh-time' will be reset. Thus, previous IP mappings are kept without requiring unnecessary DNS queries.
FQDN objects are resolved on individual devices and not Panorama.
05-03-2011 12:41 AM
Use 'request system fqdn show' to see FQDN to IP mapping, remaining TTL, and # secs since last refresh.
'fqdn-refresh-time' is the time period between checks for TTL expirations (default 1hr). When this timer occurs a refresh will be triggered for every object that has expired.
'fqdn-forcerefresh-time' causes a reload of any long living unrefreshed FQDN entires at least 1 time per day (default 24 hrs, range 4 - 24hrs).
You can refresh all entires with 'request system fqdn refresh', but there is no way to refresh only a single FQDN entry.
A commit will collect all new FQDN entries for IP lookup and purge any recently deleted entries, then the 'fqdn-refresh-time' will be reset. Thus, previous IP mappings are kept without requiring unnecessary DNS queries.
FQDN objects are resolved on individual devices and not Panorama.
11-16-2011 07:22 AM
We are seeing the following since yesterday on PA 2050 running 4.0.5 code.
Show Jobs output
2011/11/15 02:38:50 3017 FqdnRefresh FIN FAIL 100 %
2011/11/15 02:08:44 3016 FqdnRefresh FIN FAIL 100 %
2011/11/15 01:38:35 3015 FqdnRefresh FIN FAIL 100 %
2011/11/15 01:08:27 3014 FqdnRefresh FIN FAIL 100 %
2011/11/15 00:38:22 3013 FqdnRefresh FIN FAIL 100 %
2011/11/15 00:08:13 3012 FqdnRefresh FIN FAIL 100 %
2011/11/14 23:38:07 3011 FqdnRefresh FIN FAIL 100 %
2011/11/14 23:07:59 3010 FqdnRefresh FIN FAIL 100 %
2011/11/14 22:37:51 3009 FqdnRefresh FIN FAIL 100 %
2011/11/14 22:06:58 3008 FqdnRefresh FIN FAIL 100 %
showing fqdn table, unable to resolve IP address to dns.
FQDN Table : Last Request time Wed Nov 16 14:48:00 2011-------------------------------------------------------------------------------- IP Address Remaining TTL Secs Since Refreshed--------------------------------------------------------------------------------VSYS : vsys1
cdn.redhat.com (Objectname H-cdn.redhat.com):
Not resolved
git.kernel.org (Objectname H-git.kernel.org):
Not used
gsyprf10.external.hp.com (Objectname H-gsyprf10.external.hp.com):
Not used
mirrors.kernel.org (Objectname H-mirrors.kernel.org):
Not used
subscription.rhn.redhat.com (Objectname H-subscription.rhn.redhat.com):
Not resolved
test.kernel.org (Objectname H-test.kernel.org):
Not used
xmlrpc.rhn.redhat.com (Objectname H-xmlrpc.rhn.redhat.com):
Not resolved
VSYS : shared
Ping seems to work just fine with the dns name.
FW1(active)> ping host cdn.redhat.comPING e4177.g.akamaiedge.net (173.222.128.251) 56(84) bytes of data.64 bytes from a173-222-128-251.deploy.akamaitechnologies.com (173.222.128.251): icmp_seq=1 ttl=59 time=6.58 ms64 bytes from a173-222-128-251.deploy.akamaitechnologies.com (173.222.128.251): icmp_seq=2 ttl=59 time=7.45 ms
Any help would be appreciated.
Thanks & Regards
Junaid
12-09-2011 07:39 AM
Hello,
Your FqdnRefresh processes are failed
2011/11/15 02:38:50 3017 FqdnRefresh FIN FAIL 100 %
You should ask to Palo Alto why, as if these processes failed you will never get resolved entries in your fqdn table.
Regards
Hubert
02-15-2012 03:41 PM
Thanks, It turned out to be management process chewing up memory. temporary fix was to reboot the system or restart the management server process, Permanent fix seem to be implemented in 4.0.9 code. We updated our boxes to this code last week and since then, not seeing this issue.
Rgds
Junaid
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!