Manage Connection Sources

Table of Contents

Manage Connection Sources

Define and verify egress IP addresses in SCM to enforce DNS security policies, block C2/phishing, and manage internal domain bypasses for ADNSR.

Where Can I Use This?	What Do I Need?
Strata Cloud Manager	Advanced DNS Resolver License Additionally, if using Prisma Access Agent as a connection source: Prisma Access Agent License Minimum Prisma Access Agent version: 25.7 Supported operating systems: Windows, macOS

The Advanced DNS Security Resolver requires the identification of specific connection sources to enforce your organizational security policies. These connection sources represent the egress IP addresses from your various network environments—including branch offices, campuses, and data centers—that are authorized to forward DNS traffic for inspection. By defining these sources, you establish the perimeter within which the Advanced DNS Security Resolver applies advanced protections such as real-time phishing detection and command-and-control (C2) blocking. This visibility extends beyond physical infrastructure to include secure connections managed by Prisma Access Agent, ensuring that mobile users remain subject to consistent DNS policy enforcement even when working outside the traditional office environment.

When configuring connection sources in the Strata Cloud Manager for Advanced DNS Security Resolver, you must ensure that all static egress IP addresses are verified to prevent unauthorized traffic from masquerading as your organization. In contrast, Prisma Access Agent connections are pre-authenticated through the agent's native identity management. Once these sources are successfully added and verified, you can associate them with specific DNS Security profiles to dictate how the resolver handles various threat categories. It is also essential to configure internal domain bypass lists during this setup to ensure that private, internal-only DNS requests are handled locally and not forwarded to the cloud resolver, thereby avoiding resolution failures for internal resources.

Select from the connection source options below:

Manage Connection Sources (Advanced DNS Security Resolver)

Log in to the Strata Cloud Manager on the hub.
Select ConfigurationADNS Resolver and view currently available Connection Sources. This provides an overview of all configured connection sources.
Click Create Connection Source and provide a Name and optional Description.
Select a DNS Security Profile with the appropriately configured security policies for the connection source.
Add IPv4 and IPv6 addresses or subnets for the connection source. If you do not provide any at this time, a popup will notify you to add IP address(es) to your new connection. You can specify up to 1000 subnets across connection sources for a given tenant.
Valid IP addresses must conform with the following parameters:
IPv6—Individual node addresses must have prefix length of /128. For broader subnet allocations, use a prefix length within the /56 to /64 range.
IPv4—Individual addresses must have CIDR prefix of /32. For broader subnet allocations, use a prefix length within the /28 to /32 range.
While the Advanced DNS Security Resolver supports dual-stack IPv4 and IPv6 connectivity, to ensure proper routing and system compatibility, please use the standard notation for each protocol rather than using IPv4-mapped IPv6 formats.
1. From the IP Addresses panel, + Add or delete entries (using the icon) to modify the IP Addresses list entries as necessary.
2. Click Save when finished. An icon appears next to new unverified connection sources.
To Verify the IP address, you must download the token using the supplied link (option 1) or generate one by using the curl command (option 2). After you receive the token, you must then Enter Verification Token in the provided field.

The client device used for verification (the accessing URL) must be within the specified subnet or IP range for successful IP/Subnet verification.
Click Verify to continue.
Repeat as necessary for additional IP addresses.

If you are verifying a subnet, it is only necessary to verify a single IP address in the subnet IP range; all other IP addresses in that subnet are automatically verified.

Manage Connection Sources (Prisma Access Agent)

If your Prisma Access deployment provides secure access to your organization's network resources for remote users through Prisma Access Agent, a predefined connection source named Prisma Access Agent is present in the connection sources list. This connection source cannot be modified or removed, with the exception of the redefining the associated DNS Security profile. Additionally, Prisma Access Agent connections do not need to be verified, as identification and authentication are managed internally through Strata Cloud Manager.

Prisma Access Agent support for Advanced DNS Security Resolver operates as a fall-back option when the tunnel connection that provides secure access for mobile users fails or is not available. This allows you to retain DNS resolution and query and response inspection from the Advanced DNS Security Resolver service, regardless of your connection status.

Unlike connection sources that are managed directly through the Advanced DNS Security Resolver, Prisma Access Agent users and user groups that you want fallback support for are defined within the Prisma Access Agent > Agent Settings > Match Criteria. Keep in mind, this is part of a larger configuration process to Configure.

Log in to the Strata Cloud Manager on the hub.
Select ConfigurationADNS Resolver and select Prisma Access Agent.
Select a DNS Security Profile with the appropriately configured security policies for the connection source.
Click Save when finished.
Configure the Prisma Access Agent Connectivity Method located in your Forwarding Profile to enable ADNS cloud-based DNS resolution and real-time inspection. For more information, refer to step 2 of: Configure for Prisma Access Agent.

The ADNS connection option can only be enabled when Tunnel is enabled first.
(Optional) Review logs generated by the in Strata Cloud Manager.