02-17-2021 12:40 PM - edited 02-17-2021 12:50 PM
Just a quick update on this older topic that under PANOS 10.0.x, the DNS Sec license is now integrated in the policy and you can no longer make this change. Additionally, you cannot change the built-in default policy either. The kicker is that my Palo Alto account manager offered to sell me DNS Security licenses to get rid of the error and the TAC Engineer told me that its "cosmetic and just a warning" and to file a feature request through my account manager.
I love when my security team sends me messages every day asking why where are warnings in Panorama about security policies being committed with warnings. Hopefully as more of us move towards 10.0.x Palo Alto will do something about this. It frustrating as this option shouldn't be configurable if we don't have a license.
-Matt
