06-16-2022 04:38 AM
Hi Every one,
We have recently upgraded PA-820 to PA-OS 10.1.5. After that, we observed we cannot resolve any FQDN from the firewall.
*. We have verified the DNS setting Device>Setup>Services> Primary as 8.8.8.8 and local.
*. We have tested by changing the service route of DNS to LAN, WAN, and default and allowed complete access in policy still no use.
*. We have restarted MGMT server and DNS-Proxy process but still, no use getting errors as " ping: unknown host FQDN"
* Also observed it is working file in machines behind this firewall. Only unable to resolve from firewall CLI.
Can anyone please help me to address this issue.
07-13-2022 05:32 AM
Hi @OtakarKlier :
PA TAC Update is :
This behavior is observed on PAN 10.1.6.There is no target fix for this bug.
As the resolution is either remove the domain name (if not required) and if required then there should not be any space.
PAN-196841 will be fixed as with same configuration we observed that content and dynamic updates working fine on PAN OS 10.1.3.
The issue was due to invalid domain string name configured on the firewall under General setting>>Domain.
Device --> Setup --> Management --> General Settings --> Domain -->
+We removed the domain and issue got fixed.
Recently there was a fix added to validate all hostname/domain name strings from sysdagent. Hence quite possible that this string was accepted in earlier versions
06-16-2022 09:44 AM
you're not alone on this one i am running 10.1.5. i have been dealing with this issue for the past week or so. I am looking at upgrading to 10.1.6 since it was recently approved as the preferred release. my set up is pretty simple it's only a palo 440 trunked to a cisco 2960xr. i have thrown just about everything at it and still no luck.
06-16-2022 10:09 AM
Hello,
Looks like 10.1.6 is the prefered release. I'm running it and have not seen the issue you are describing.
Regards,
06-16-2022 10:14 AM
@JuanRodriguezIT and @OtakarKlier : Thanks for your reply. Is there any other workaround except the PAN-OS upgrade?
06-16-2022 11:25 AM
if you don't want to upgrade i would go back to the previous version. i am looking at upgrading to 10.1.6 but obviously needs to be done after hours. @OtakarKlier mentioned he has no issues so I am hoping that will fix my issue because as i mentioned I've hit this thing from all angles except downgrading or upgrading 😞
07-11-2022 07:38 AM
Hi,
I have upgraded the PAN-OS to 10.1.6, But still the Same Issue, Unable to resolve FQDN getting " Unknow Host: www.google.com".
Need Help to address the issue.
07-11-2022 12:05 PM
Hello,
I would say opening a support case would be in order. I'd be interested to see what they have to say.
Regards,
07-13-2022 05:32 AM
Hi @OtakarKlier :
PA TAC Update is :
This behavior is observed on PAN 10.1.6.There is no target fix for this bug.
As the resolution is either remove the domain name (if not required) and if required then there should not be any space.
PAN-196841 will be fixed as with same configuration we observed that content and dynamic updates working fine on PAN OS 10.1.3.
The issue was due to invalid domain string name configured on the firewall under General setting>>Domain.
Device --> Setup --> Management --> General Settings --> Domain -->
+We removed the domain and issue got fixed.
Recently there was a fix added to validate all hostname/domain name strings from sysdagent. Hence quite possible that this string was accepted in earlier versions
09-21-2022 12:20 AM
Further to this I have found it only seems to affect Panorama-pushed config. In testing this did not impact us when the domain name was entered locally on the firewall rather than being pushed from Panorama.
09-21-2022 07:01 AM
Hello, may i ask what Pan-OS are you running? I had to go down to 10.1.4h4 to make this fqdn issue resolved.
09-21-2022 12:19 PM
We are on PANOS 10.1.6-h6
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
