DNS Sinkhole

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS Sinkhole

L3 Networker

Hi guys,

 

I have Threat prevention license in my PA-3200 Series firewall but when i configure dns sinkhole in antispyware I am getting Warning: "No Valid DNS Security License" during commit, do i need to buy DNS license to work with sinkhole feature. 

 

Please suggest.

2 accepted solutions

Accepted Solutions

Hi Pavel,

Pan-os version is 10.1.5-h2, and as per KB article  if i'll use Paloalto Networks content signatures and action as sinkhole - i won't require DNS signature license.

 

and if i will go for DNS security signature, ill be requiring DNS license. 

 

correct me if i am wrong.

 

dns.jpg

View solution in original post

Cyber Elite
Cyber Elite

Thank you for reply @Doyenadmin, your understanding is correct.

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello @Doyenadmin

 

for DNS Sinkhole setup, the DNS Security License is not required. The Threat Prevention License is enough to enable this feature.

 

Could you please share a screen of your setup along with PAN-OS version?

 

I would also recommend to have a look into this KB to make sure that it is configured according to best practice: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi @Doyenadmin 

 

Just to add to @PavelK great answer it is important to point which DNS signature policy you have configured with sinkhole.

Astardzhiev_0-1657787648205.png

As you can see from the documentation "DNS Security" category requires the additional DNS Security license

Astardzhiev_1-1657787722608.png

Trying to use any of the above with action sinkhole or block will require additional license. And this is how it looks on 9.1 versions

Astardzhiev_2-1657787820846.png

 

Hi Pavel,

Pan-os version is 10.1.5-h2, and as per KB article  if i'll use Paloalto Networks content signatures and action as sinkhole - i won't require DNS signature license.

 

and if i will go for DNS security signature, ill be requiring DNS license. 

 

correct me if i am wrong.

 

dns.jpg

Cyber Elite
Cyber Elite

Thank you for reply @Doyenadmin, your understanding is correct.

 

Help the community: Like helpful comments and mark solutions.
  • 2 accepted solutions
  • 4401 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!