05-25-2025 11:07 PM
Hello,
We have a lot of servers in production (PRD) and development (DVE) domain.
Servers in PRD domain use our internal PRD-DNS-Server and those in DVE domain use our internal DVE-DNS-Server. Our PA-5400 series firewall is considered to be PRD domain and hence uses internal PRD-DNS-Server to resolve FQDN objects.
Now what happens is that intermittently, our DVE servers are unable to reach certain internet URLs. We found that, even though we have a policy on our firewall with fqdn object for that domain, at certain instances, the IP resolved by PRD-DNS-Server and DVE-DNS-Server are different and hence the firewall blocks the connection.
I have tried adjusting the FQDN refresh time on PA Firewall but it does not help because it depends on what IP is getting resolved at the instance of the issue.
Any idea on how to get around this problem? If I use internal DVE-DNS-Server to resolve firewall objects then the production servers will have issues accessing the URLs.
05-26-2025 05:57 AM
Set up DNS Proxy on Palo.
Add Palo DNS Proxy IP into Domain Controller Forwarder field in DNS setting (or DNAT outgoing port 53 traffic to DNS Proxy IP in Palo).
This forces both domains to use Palo to resolve IPs and Palo will cache correct IP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
