What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach DNS


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L4 Transporter

What Happens to FQDNs in a Security Policy when DNS Time-to-Live Expires and Device Cannot Reach DNS

 What will happen in that case when DNS server becomes unreachable ?


Would destination server be unreachable ? 


Possible solution if DNS server gets unreachable.

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 | CCIE-SEC-Attempted
Tags (3)
L3 Networker
L7 Applicator

the fqdnobject will retain it's ild mapping even after the TTL expires if the dns server is unreachable at the time of expiry

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Cyber Elite


So the only time the firewall actually takes TTL into account is 9.0 and later, otherwise 8.1 and lower don't care about the records TTL. Within 9.0 you have an option of configuring both a Minimum FQDN refresh, along with a Stale Entry timeout. The Stale Entry setting is what you will want to look at and configure appropriately, as that's how long the firewall will continue to use its cache for FQDN objects if the DNS server isn't reachable.


Prior to 9.0; the firewall doesn't take into account the TTL. It would refresh at whatever interval you have configured and if the DNS server became unreachable it would utilize it's cache entry until it was able to either refresh, the firewall was restarted, or the cache was cleared. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!