>
    Strata Copilot
    Manage Connection Sources
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI®
    3. Configure Advanced DNS Security Resolver
    4. Manage Connection Sources
    Download PDF
    Advanced DNS Security Powered by Precision AI®

    Manage Connection Sources

    Table of Contents

    Manage Connection Sources

    Define and verify egress IP addresses in SCM to enforce DNS security policies, block C2/phishing, and manage internal domain bypasses for ADNSR.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Advanced DNS Resolver License
    • Additionally, if using Prisma Access Agent as a connection source:
      • Prisma Access Agent License
      • Minimum Prisma Access Agent version: 25.7
      • Supported operating systems: Windows, macOS
    The Advanced DNS Security Resolver requires the identification of specific connection sources to enforce your organizational security policies. These connection sources represent the egress IP addresses from your various network environments—including branch offices, campuses, and data centers—that are authorized to forward DNS traffic for inspection. By defining these sources, you establish the perimeter within which the Advanced DNS Security Resolver applies advanced protections such as real-time phishing detection and command-and-control (C2) blocking. This visibility extends beyond physical infrastructure to include secure connections managed by Prisma Access Agent, ensuring that mobile users remain subject to consistent DNS policy enforcement even when working outside the traditional office environment.
    When configuring connection sources in the Strata Cloud Manager for Advanced DNS Security Resolver, you must ensure that all static egress IP addresses are verified to prevent unauthorized traffic from masquerading as your organization. In contrast, Prisma Access Agent connections are pre-authenticated through the agent's native identity management. Once these sources are successfully added and verified, you can associate them with specific DNS Security profiles to dictate how the resolver handles various threat categories. It is also essential to configure internal domain bypass lists during this setup to ensure that private, internal-only DNS requests are handled locally and not forwarded to the cloud resolver, thereby avoiding resolution failures for internal resources.
    Select from the connection source options below:

    Manage Connection Sources (Advanced DNS Security Resolver)

    1. Log in to the Strata Cloud Manager on the hub.
    2. Select ConfigurationADNS Resolver and view currently available Connection Sources. This provides an overview of all configured connection sources.
    3. Click Create Connection Source and provide a Name and optional Description.
    4. Select a DNS Security Profile with the appropriately configured security policies for the connection source.
    5. Add IP addresses or subnets for the connection source. If you do not provide any at this time, a popup will notify you to add IP address(es) to your new connection.
      1. From the IP Addresses panel, + Add or delete entries (using the icon) to modify the IP Addresses list entries as necessary. You can only add valid IPv4 IP addresses with a /28-/32 subnet range.
      2. Click Save when finished. An icon appears next to new unverified connection sources.
    6. To Verify the IP address, you must download the token using the supplied link (option 1) or generate one by using the curl command (option 2). After you receive the token, you must then Enter Verification Token in the provided field.
      The client device used for verification (the accessing URL) must be within the specified subnet or IP range for successful IP/Subnet verification.
    7. Click Verify to continue.
    8. Repeat as necessary for additional IP addresses.
      If you are verifying a subnet, it is only necessary to verify a single IP address in the subnet IP range; all other IP addresses in that subnet are automatically verified.

    Manage Connection Sources (Prisma Access Agent)

    If your Prisma Access deployment provides secure access to your organization's network resources for remote users through Prisma Access Agent, a predefined connection source named Prisma Access Agent is present in the connection sources list. This connection source cannot be modified or removed, with the exception of the redefining the associated DNS Security profile. Additionally, Prisma Access Agent connections do not need to be verified, as identification and authentication are managed internally through Strata Cloud Manager.
    Prisma Access Agent support for Advanced DNS Security Resolver operates as a fall-back option when the tunnel connection that provides secure access for mobile users fails or is not available. This allows you to retain DNS resolution and query and response inspection from the Advanced DNS Security Resolver service, regardless of your connection status.
    Unlike connection sources that are managed directly through the Advanced DNS Security Resolver, Prisma Access Agent users and user groups that you want fallback support for are defined within the Prisma Access Agent > Agent Settings > Match Criteria. Keep in mind, this is part of a larger configuration process to Configure.
    1. Log in to the Strata Cloud Manager on the hub.
    2. Select ConfigurationADNS Resolver and select Prisma Access Agent.
    3. Select a DNS Security Profile with the appropriately configured security policies for the connection source.
    4. Click Save when finished.
    5. Configure the Prisma Access Agent Connectivity Method located in your Forwarding Profile to enable ADNS cloud-based DNS resolution and real-time inspection. For more information, refer to step 2 of: Configure for Prisma Access Agent.
      The ADNS connection option can only be enabled when Tunnel is enabled first.
    6. (Optional) Review logs generated by the in Strata Cloud Manager.

    © 2026 Palo Alto Networks, Inc. All rights reserved.