What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach DNS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach DNS

L4 Transporter

 What will happen in that case when DNS server becomes unreachable ?

 

Would destination server be unreachable ? 

 

Possible solution if DNS server gets unreachable.

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |
3 REPLIES 3

L3 Networker

Cyber Elite
Cyber Elite

the fqdnobject will retain it's ild mapping even after the TTL expires if the dns server is unreachable at the time of expiry

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

@fatboy1607,

So the only time the firewall actually takes TTL into account is 9.0 and later, otherwise 8.1 and lower don't care about the records TTL. Within 9.0 you have an option of configuring both a Minimum FQDN refresh, along with a Stale Entry timeout. The Stale Entry setting is what you will want to look at and configure appropriately, as that's how long the firewall will continue to use its cache for FQDN objects if the DNS server isn't reachable.

 

Prior to 9.0; the firewall doesn't take into account the TTL. It would refresh at whatever interval you have configured and if the DNS server became unreachable it would utilize it's cache entry until it was able to either refresh, the firewall was restarted, or the cache was cleared. 

  • 3917 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!