08-19-2022 04:29 PM
We did a trial of DNS Security, after its expiration pushes from Panorama failed with warning "No Valid DNS Security License" Did a fair bit of searching, only real suggestion was here, that said to set all DNS Policies to Allow, that did not resolve the warning. Tried setting DNS Signatures to Default, still same commit warning.
Poking around CLI, I was able to delete all the botnet-domains in our Spyware profile, commit and push with ZERO warnings; this successfully removed the DNS Security warnings. Hallelujah!
I've not been able to find this anywhere, and so far Support doesn't seem to know about it either; their suggestion was what I found (set all to allow) that does not work.
Before:
admin@Panorama# show shared profiles spyware "Default Anti-Spyware"
set shared profiles spyware "Default Anti-Spyware" rules simple-critical action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-critical severity critical
set shared profiles spyware "Default Anti-Spyware" rules simple-critical threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical category any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-high action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-high severity high
set shared profiles spyware "Default Anti-Spyware" rules simple-high threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-high category any
set shared profiles spyware "Default Anti-Spyware" rules simple-high packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-medium action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-medium severity medium
set shared profiles spyware "Default Anti-Spyware" rules simple-medium threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium category any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium packet-capture disable
set shared profiles spyware "Default Anti-Spyware" rules simple-low action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-low severity low
set shared profiles spyware "Default Anti-Spyware" rules simple-low threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-low category any
set shared profiles spyware "Default Anti-Spyware" rules simple-low packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains lists default-paloalto-dns action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains lists default-paloalto-dns packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-adtracking packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-cc packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-ddns packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-grayware packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-malware packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-parked packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-phishing packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-proxy packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent log-level default
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent action allow
set shared profiles spyware "Default Anti-Spyware" botnet-domains dns-security-categories pan-dns-sec-recent packet-capture disable
set shared profiles spyware "Default Anti-Spyware" botnet-domains sinkhole ipv4-address 127.0.0.1
set shared profiles spyware "Default Anti-Spyware" botnet-domains sinkhole ipv6-address ::1
set shared profiles spyware "Default Anti-Spyware" botnet-domains threat-exception
set shared profiles spyware "Default Anti-Spyware" threat-exception 14978 action default
After:
admin@Panorama# delete shared profiles spyware "Default Anti-Spyware" botnet-domains
admin@Panorama# show shared profiles spyware "Default Anti-Spyware"
set shared profiles spyware "Default Anti-Spyware" rules simple-critical action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-critical severity critical
set shared profiles spyware "Default Anti-Spyware" rules simple-critical threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical category any
set shared profiles spyware "Default Anti-Spyware" rules simple-critical packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-high action reset-both
set shared profiles spyware "Default Anti-Spyware" rules simple-high severity high
set shared profiles spyware "Default Anti-Spyware" rules simple-high threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-high category any
set shared profiles spyware "Default Anti-Spyware" rules simple-high packet-capture single-packet
set shared profiles spyware "Default Anti-Spyware" rules simple-medium action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-medium severity medium
set shared profiles spyware "Default Anti-Spyware" rules simple-medium threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium category any
set shared profiles spyware "Default Anti-Spyware" rules simple-medium packet-capture disable
set shared profiles spyware "Default Anti-Spyware" rules simple-low action alert
set shared profiles spyware "Default Anti-Spyware" rules simple-low severity low
set shared profiles spyware "Default Anti-Spyware" rules simple-low threat-name any
set shared profiles spyware "Default Anti-Spyware" rules simple-low category any
set shared profiles spyware "Default Anti-Spyware" rules simple-low packet-capture disable
set shared profiles spyware "Default Anti-Spyware" threat-exception 14978 action default
