Configure Advanced DNS Security in Panorama

Table of Contents

Configure Advanced DNS Security in Panorama

Cloud NGFW for Azure leverages Advanced DNS Security to provide real-time, AI-driven protection against sophisticated DNS-layer threats.

Cloud NGFW for Azure leverages Advanced DNS Security to provide real-time, AI-driven protection against sophisticated DNS-layer threats. The Advanced tier uses cloud-based deep learning to block zero-day malicious domains.

Enable DNS Proxy in the Azure Portal.
Define Advanced DNS Categories in Panorama.
Advanced DNS Security is managed through the Anti-Spyware profile in your Panorama-managed device groups.
1. In Panorama, navigate to Objects > Security Profiles > Anti-Spyware.
2. Select the Device Group associated with your Cloud NGFW for Azure.
3. Click Add (or edit your existing profile) and go to the DNS Policies tab.
4. Select required log level for the respective ADNS.
5. Select the required action for the respective ADNS (applicable to PAN-OS version 11.2.7 and above only).
6. Click OK.
When you select the default options for your Newly Registered Domains, the Cloud NGFW automatically utilizes the Advanced DNS Security engine.
Deploy the Configuration.
1. Go to Policies > Security and ensure the Anti-Spyware profile is attached to your outbound security rules.
2. Commit the changes to Panorama.
3. Push the configuration to your Cloud NGFW for Azure device group.
Billing and Credits.
Once an Anti-Spyware profile with Advanced DNS categories is applied to a live Security Policy:
- The service is active and billed as an add-on.
- This appears in your Azure consumption as a credit surcharge (approximately 30% of the base firewall credit cost).
For more information, see Configuring Anti Spyware profile on Panorama.