04-19-2023 06:38 PM
We have a policy rule that contains an FQDN-defined website destination (yandr.wiredrive.com). When initially configured to pass traffic to required cloud-based resources, DNS resolution to the wiredrive.com site would happen regularly, usually after an hour or so. A Palo Alto knowledgebase article about the Fast-DNS caching used by cloud-based resources could be remediated by reducing the FQDN resolution time from the default from 30 minutes to 10 minutes. After the recommended change, the connection functioned normally for a 10-hour shift with no issues. After a few days we noticed that the connection would be lost overnight, and could only be resolved by "toggling" the policy rule, thereby renewing the connection.
Is there a way to configure PAN-OS policy rules to ensure uninterrupted connection to the cloud-based resource, without having to manually renew the connection?
Fast-DNS Resolution Issues
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boQJCAY
How to change the FQDN Refresh Timers
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKbCAK
Thanks
04-20-2023 01:24 AM - edited 04-20-2023 01:25 AM
Hi Paul,
The 10 minutes in your case is probably too long if it is resulting in loss of connectivity after a certain period
since PAN-OS 9 the timeout can be reduced to seconds and that is probably what will fix the problem for you.
see this kb article.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmq0CAC
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
