>
    Strata Copilot
    Bypass DNS Security Subscriptions Services
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI®
    3. Configure DNS Security Subscription Services
    4. Bypass DNS Security Subscriptions Services
    Download PDF
    Advanced DNS Security Powered by Precision AI®

    Bypass DNS Security Subscriptions Services

    Table of Contents

    Bypass DNS Security Subscriptions Services

    Adjust DNS Security with a fail-open timeout to maintain performance. If queries exceed this limit, queries pass without inspection to prevent network latency and user disruption.
    Where Can I Use This?What Do I Need?
    • Prisma Access
    • NGFW
    • VM-Series
    • CN-Series
    • Advanced DNS Security License (for enhanced feature support) or DNS Security License
    • Advanced Threat Prevention or Threat Prevention License
    DNS Security is designed to provide real-time protection by performing cloud-based lookups for domain signatures. However, to ensure that security inspection does not negatively impact user experience or critical network operations, the NGFW can bypass these queries if latency or connectivity issues occur. By default, the NGFW implements a 100-millisecond timeout; if a verdict is not received from the DNS Security cloud within this window, the DNS response is released to the client without further analysis. This fail-open mechanism prevents network bottlenecks and ensures that internal applications remain responsive even during transient periods of high service latency or network congestion.
    In addition to handling latency, you can configure a manual bypass of the service if comprehensive troubleshooting or policy changes are required. This is achieved by setting the policy action to allow, the packet capture to disabled, and the log severity to none (for NGFW) within the Anti-Spyware profile for specific DNS categories. This level of control ensures that administrators can maintain operational continuity while balancing the need for deep DNS-layer visibility. For persistent false positives, Palo Alto Networks recommends using domain exceptions rather than a full service bypass to maintain a high security posture for the rest of your network traffic.
    In cases where false-positives occur, Palo Alto Networks recommends creating specific exceptions instead of bypassing DNS Security queries altogether.

    Bypass DNS Security Subscriptions Services (Strata Cloud Manager)

    1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
    2. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesDNS Security and select the relevant DNS Security profile.
    3. Configure the DNS Security signature policy settings to bypass DNS Security queries. For each DNS category, set the Action to allow and Packet Capture to disabled. In the following, the DNS Security categories have been configured to bypass DNS Security queries.
    4. In the Overrides section, verify that there are no entries present; if necessary, delete all Domain/FQDN overrides.
    5. Click OK to save the DNS Security profile.

    Bypass DNS Security Subscriptions Services (NGFW (Managed by PAN-OS or Panorama))

    PAN-OS 10.0 and later supports individually configurable DNS signature sources, which enables you to define separate policy actions as well as a log severity level for a given signature source. This requires you to configure both the policy action and the log severity for each available DNS signature source to bypass DNS Security. Additionally, you must also remove the DNS exceptions entries for the DNS Security to be fully bypassed. On PAN-OS 9.1, you can simply set the policy action for Palo Alto Networks DNS Security to an action of allow.

    Bypass DNS Security Subscriptions Services (PAN-OS 10.0 and later)

    1. Log in to the NGFW.
    2. Configure the DNS Security signature policy settings to bypass DNS Security queries.
      1. Select ObjectsSecurity ProfilesAnti-Spyware.
      2. Select the profile containing your active DNS Security policy settings.
      3. Select the DNS Policies tab.
      4. For each DNS category, set the log severity to none, the policy action to allow, and packet capture to disable. In the following, the DNS Security categories have been configured to bypass DNS Security queries.
    3. Select DNS Exceptions and remove all DNS Domain/FQDN Allow List entries.
    4. Click OK to save the Anti-Spyware profile.

    Bypass DNS Security Subscriptions Services (PAN-OS 9.1)

    1. Log in to the NGFW.
    2. Configure DNS Security signature policy settings to bypass DNS Security look-ups.
      1. Select ObjectsSecurity ProfilesAnti-Spyware.
      2. Select the profile containing your active DNS Security policy settings.
      3. Select the DNS Signatures tab.
      4. Under Policies & Settings, set the policy action for Palo Alto Networks DNS Security to an action of allow.
    3. Click OK to save the Anti-Spyware profile.

    © 2026 Palo Alto Networks, Inc. All rights reserved.