EDL Dynamic Domain list that is allowed in Anti-spyware profile> DNS Polices is getting sinkholed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

EDL Dynamic Domain list that is allowed in Anti-spyware profile> DNS Polices is getting sinkholed

L1 Bithead

We have four VM 300 firewalls configured as DNS proxy with DNS Security, where all our users (around 65K) are using them as a DNS resolver. The pano os version we are running is 10.1.11-h4.

We have configured couple of EDL custom domain list, one to allow domains otherwise blocked by PA's DNS signature and one to block domains that our security finds vulnerable. These EDLs are configured through Anti-spyware profile > DNS Policies > for Allow EDL policy action Alert, and for Block EDL policy action sinkhole.

Since yesterday, we start seeing that all domains in the Allowed list are getting sinkholed and we see under Monitor > Threats that these domains are blocked by the Blocked EDL.

We have been working with the TAC since yesterday, and it seems no luck on that.

Thank you

 

1 accepted solution

Accepted Solutions


@DerejeBallSportsGear@Dereje wrote:

We have four VM 300 firewalls configured as DNS proxy with DNS Security, where all our users (around 65K) are using them as a DNS resolver. The pano os version we are running is 10.1.11-h4.

We have configured couple of EDL custom domain list, one to allow domains otherwise blocked by PA's DNS signature and one to block domains that our security finds vulnerable. These EDLs are configured through Anti-spyware profile > DNS Policies > for Allow EDL policy action Alert, and for Block EDL policy action sinkhole.

Since yesterday, we start seeing that all domains in the Allowed list are getting sinkholed and we see under Monitor > Threats that these domains are blocked by the Blocked EDL.

We have been working with the TAC since yesterday, and it seems no luck on that.

Thank you

 


Hello,

 

It seems that you are experiencing a known issue with the DNS Security feature in PAN-OS 10.1.11-h4. According to the Palo Alto Networks Knowledge Base, there is a bug that causes the DNS Security to incorrectly sinkhole domains that are in the allow list of the DNS policy. This bug affects the VM-Series firewalls that are configured as DNS proxies and use external dynamic lists (EDLs) of type domain in the DNS policy.

 

The workaround for this issue is downgrade the PAN - OS version 10.1,10 or earlier or to upgrade to 10.1.12 or later, which have fixed this bug. Alternatively, you can disable the DNS Security feature on the VM-Series firewalls until you can upgrade or downgrade the PAN-OS version.

 

I hope this helps to understand and resolve the issue. 

 

Best regards,

Nicholas185Smith

 

 

 

 

 

View solution in original post

1 REPLY 1


@DerejeBallSportsGear@Dereje wrote:

We have four VM 300 firewalls configured as DNS proxy with DNS Security, where all our users (around 65K) are using them as a DNS resolver. The pano os version we are running is 10.1.11-h4.

We have configured couple of EDL custom domain list, one to allow domains otherwise blocked by PA's DNS signature and one to block domains that our security finds vulnerable. These EDLs are configured through Anti-spyware profile > DNS Policies > for Allow EDL policy action Alert, and for Block EDL policy action sinkhole.

Since yesterday, we start seeing that all domains in the Allowed list are getting sinkholed and we see under Monitor > Threats that these domains are blocked by the Blocked EDL.

We have been working with the TAC since yesterday, and it seems no luck on that.

Thank you

 


Hello,

 

It seems that you are experiencing a known issue with the DNS Security feature in PAN-OS 10.1.11-h4. According to the Palo Alto Networks Knowledge Base, there is a bug that causes the DNS Security to incorrectly sinkhole domains that are in the allow list of the DNS policy. This bug affects the VM-Series firewalls that are configured as DNS proxies and use external dynamic lists (EDLs) of type domain in the DNS policy.

 

The workaround for this issue is downgrade the PAN - OS version 10.1,10 or earlier or to upgrade to 10.1.12 or later, which have fixed this bug. Alternatively, you can disable the DNS Security feature on the VM-Series firewalls until you can upgrade or downgrade the PAN-OS version.

 

I hope this helps to understand and resolve the issue. 

 

Best regards,

Nicholas185Smith

 

 

 

 

 

  • 1 accepted solution
  • 1521 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!