Timer to refresh FQDN object entries

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Timer to refresh FQDN object entries

L0 Member

Hi,

In the "PAN-OS Command Line Interface Reference Guide Release 4.0", we found the following options which specify the refresh times for "FQDN object entries".

+ fqdn-forcerefresh-time — Seconds for Periodic Timer to force refresh FQDN object entries (14400-86400)

+ fqdn-refresh-time — Seconds for Periodic Timer to refresh expired FQDN object entries (1800-14399)

Could you please explain the difference between these two options.

Thank you

1 accepted solution

Accepted Solutions

L1 Bithead

Use 'request system fqdn show' to see FQDN to IP mapping, remaining TTL, and # secs since last refresh.

'fqdn-refresh-time'  is the time period between checks for TTL expirations (default 1hr).  When this timer occurs a refresh will be triggered for every object that  has expired.

'fqdn-forcerefresh-time'  causes a reload of any long living unrefreshed FQDN entires at least 1  time per day (default 24 hrs, range 4 - 24hrs).

You can refresh all entires with 'request system fqdn refresh', but there is no way to refresh only a single FQDN entry.

A  commit will collect all new FQDN entries for IP lookup and purge any  recently deleted entries, then the 'fqdn-refresh-time' will be reset.  Thus, previous IP mappings are kept without requiring unnecessary DNS  queries.

FQDN objects are resolved on individual devices and not Panorama.

View solution in original post

4 REPLIES 4

L1 Bithead

Use 'request system fqdn show' to see FQDN to IP mapping, remaining TTL, and # secs since last refresh.

'fqdn-refresh-time'  is the time period between checks for TTL expirations (default 1hr).  When this timer occurs a refresh will be triggered for every object that  has expired.

'fqdn-forcerefresh-time'  causes a reload of any long living unrefreshed FQDN entires at least 1  time per day (default 24 hrs, range 4 - 24hrs).

You can refresh all entires with 'request system fqdn refresh', but there is no way to refresh only a single FQDN entry.

A  commit will collect all new FQDN entries for IP lookup and purge any  recently deleted entries, then the 'fqdn-refresh-time' will be reset.  Thus, previous IP mappings are kept without requiring unnecessary DNS  queries.

FQDN objects are resolved on individual devices and not Panorama.

We are seeing the following since yesterday on PA 2050 running 4.0.5 code.

Show Jobs output

2011/11/15 02:38:50        3017      FqdnRefresh       FIN   FAIL 100 %    
2011/11/15 02:08:44        3016      FqdnRefresh       FIN   FAIL 100 %    
2011/11/15 01:38:35        3015      FqdnRefresh       FIN   FAIL 100 %    
2011/11/15 01:08:27        3014      FqdnRefresh       FIN   FAIL 100 %    
2011/11/15 00:38:22        3013      FqdnRefresh       FIN   FAIL 100 %    
2011/11/15 00:08:13        3012      FqdnRefresh       FIN   FAIL 100 %    
2011/11/14 23:38:07        3011      FqdnRefresh       FIN   FAIL 100 %    
2011/11/14 23:07:59        3010      FqdnRefresh       FIN   FAIL 100 %    
2011/11/14 22:37:51        3009      FqdnRefresh       FIN   FAIL 100 %    
2011/11/14 22:06:58        3008      FqdnRefresh       FIN   FAIL 100 %    

showing fqdn table, unable to resolve IP address to dns.

FQDN Table : Last Request time Wed Nov 16 14:48:00 2011--------------------------------------------------------------------------------                      IP Address     Remaining TTL     Secs Since Refreshed--------------------------------------------------------------------------------VSYS  : vsys1
cdn.redhat.com  (Objectname H-cdn.redhat.com):
                    Not resolved
git.kernel.org  (Objectname H-git.kernel.org):
                        Not used
gsyprf10.external.hp.com  (Objectname H-gsyprf10.external.hp.com):
                        Not used
mirrors.kernel.org  (Objectname H-mirrors.kernel.org):
                        Not used
subscription.rhn.redhat.com  (Objectname H-subscription.rhn.redhat.com):
                    Not resolved
test.kernel.org  (Objectname H-test.kernel.org):
                        Not used
xmlrpc.rhn.redhat.com  (Objectname H-xmlrpc.rhn.redhat.com):
                    Not resolved
VSYS  : shared

Ping seems to work just fine with the dns name.

FW1(active)> ping host cdn.redhat.comPING e4177.g.akamaiedge.net (173.222.128.251) 56(84) bytes of data.64 bytes from a173-222-128-251.deploy.akamaitechnologies.com (173.222.128.251): icmp_seq=1 ttl=59 time=6.58 ms64 bytes from a173-222-128-251.deploy.akamaitechnologies.com (173.222.128.251): icmp_seq=2 ttl=59 time=7.45 ms

Any help would be appreciated.

Thanks & Regards

Junaid

Hello,

Your FqdnRefresh processes are failed

2011/11/15 02:38:50        3017      FqdnRefresh       FIN   FAIL 100 %   

You should ask to Palo Alto why, as if these processes failed you will never get resolved entries in your fqdn table.

Regards

Hubert

Thanks, It turned out to be management process chewing up memory. temporary fix was to reboot the system or restart the management server process, Permanent fix seem to be implemented in 4.0.9 code. We updated our boxes to this code last week and since then, not seeing this issue.

Rgds

Junaid

  • 1 accepted solution
  • 5282 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!