This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

FQDN cache limitations

hshawn
L4 Transporter

‎01-10-2019 10:57 AM

I wanted to reach out tot he community and see how people are handling FQDN cache limit issues. 

Example:

 

* Internal DNS caches up to 8 IPs for each FQDN

* PAN device will cache up to 10 (source: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0)

 

If you have a security policy that allows traffic to blah.domain.com and that FQDN is in AWS and could be 20/30/100 IPs your traffic will not always hit the policy allowing the traffic you want to allow since the IP address the application happens to hit will not always be in the FQDN cache.

 

possible solution #1: have the vendor add more FQDNs (good luck)

possible solution #2: manually add a ton of IPs to the security policy (horrible idea)

possible solution #3: leave it alone and accept that the application will try again and eventually hit an IP that is cached

possible solution #4: Ask the vendor to use a load balancer (good luck)

possible solution #5: ?

 

Anyone else run into this? I know there has to be a limit somewhere but I can see this being more and more of an issue as things are moved into the cloud.

2 people had this problem.
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks