DNS Security
PAN-OS
Table of Contents
PAN-OS & Panorama
PAN-OS 10.0 and later supports individually
configurable DNS signature sources, which enables you to define
separate policy actions as well as a log severity level for a given
signature source. This requires you to configure both the policy
action and the log severity for each available DNS signature source
to bypass DNS Security. Additionally, you must also remove the DNS
exceptions entries for the DNS Security to be fully bypassed. On
PAN-OS 9.1, you can simply set the policy action for Palo Alto Networks
DNS Security to an action of allow.
PAN-OS 10.0 and later
- Configure the DNS Security signature policy settings to bypass DNS Security queries.
- Select .
- Select the profile containing your active DNS Security policy settings.
- Select theDNS Policiestab.
- For each DNS category, set the log severity tonone, the policy action toallow, and packet capture todisable. In the following, the DNS Security categories have been configured to bypass DNS Security queries.
- SelectDNS Exceptionsand remove allDNS Domain/FQDN Allow Listentries.
- ClickOKto save the Anti-Spyware profile.
PAN-OS 9.1
- Configure DNS Security signature policy settings to bypass DNS Security look-ups.
- Select .
- Select the profile containing your active DNS Security policy settings.
- Select theDNS Signaturestab.
- UnderPolicies & Settings, set the policy action forPalo Alto Networks DNS Securityto an action ofallow.
- ClickOKto save the Anti-Spyware profile.