>
    Test Connectivity to the DNS Security Cloud Services
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI™
    3. Configure DNS Security Subscription Services
    4. Test Connectivity to the DNS Security Cloud Services
    Download PDF
    Advanced DNS Security Powered by Precision AI™

    Test Connectivity to the DNS Security Cloud Services

    Table of Contents

    Test Connectivity to the DNS Security Cloud Services

    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (Managed by PAN-OS or Panorama)
    • VM-Series
    • CN-Series
    • Advanced DNS Security License (for enhanced feature support) or DNS Security License
    • Advanced Threat Prevention or Threat Prevention License

    DNS Security

    Verify your firewall connectivity to the DNS Security service. If you cannot reach the service, verify that the following domain is not being blocked: dns.service.paloaltonetworks.com.
    1. Access the firewall CLI.
    2. Use the following CLI command to verify your firewall’s connection availability to the DNS Security service.
      show dns-proxy dns-signature info
      For example:
      show dns-proxy dns-signture info

Cloud URL: dns.service.paloaltonetworks.com:443

Telemetry URL: io.dns.service.paloaltonetworks.com:443

Last Result: None

Last Server Address:

Parameter Exchange: Interval 300 sec

Allow List Refresh: Interval 43200 sec

Request Waiting Transmission: 0

Request Pending Response: 0

Cache Size: 0
      If your firewall has an active connection to the DNS Security service, the server details display in the response output.
    3. Retrieve a specified domain’s transaction details, such as latency, TTL, and the signature category.
      Use the following CLI command on the firewall to review the details about a domain:
      test dns-proxy dns-signature fqdn
      For example:
      test dns-proxy dns-signature fqdn www.yahoo.com

DNS Signature Query [ www.yahoo.com ]

Completed in 178 ms

DNS Signature Response

Entries: 2

Domain                             Category        GTID                 TTL
-------------------------------------------------------------------------------------------------
*.yahoo.com                        Benign          0                    86400
  www.yahoo.com                    Benign          0                    3600

    Advanced DNS Security

    Verify your firewall connectivity to the Advanced DNS Security service. If you cannot reach the service, verify that the following domain is not being blocked: adv-dns.service.paloaltonetworks.com. If you have manually configured a regional Advanced DNS Security server, you may need to verify the specific regional domain is also unblocked.
    1. Verify the status of your firewall connectivity to the Advanced DNS Security cloud service.
      Use the following CLI command on the firewall to view the connection status.
      show ctd-agent status security-client
      For example:
      show ctd-agent status security-client

...
Security Client ADNS(1)
        Current cloud server:   qa.adv-dns.service.paloaltonetworks.com:443
        Cloud connection:       connected
        Config:
                Number of gRPC connections: 2, Number of workers: 8
                Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306
                Maximum number of workers: 12
                Maximum number of sessions a worker should process before reconnect: 10240
                Maximum number of messages per worker: 0
                Skip cert verify: false
        Grpc Connection Status:
                State Ready (3), last err rpc error: code = Unavailable desc = unexpected HTTP status code received from server: 502 (Bad Gateway); transport: received unexpected content-type "text/html"
                Pool state: Ready (2)
                     last update: 2024-01-24 11:15:00.549591469 -0800 PST m=+1197474.129493596
                     last connection retry: 2024-01-23 00:03:09.093756623 -0800 PST m=+1070762.673658768
                     last pool close: 2024-01-22 14:15:50.36062031 -0800 PST m=+1035523.940522446
Security Client AdnsTelemetry(2)
        Current cloud server:   io-qa.adv-dns.service.paloaltonetworks.com:443
        Cloud connection:       connected
        Config:
                Number of gRPC connections: 2, Number of workers: 8
                Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306
                Maximum number of workers: 12
                Maximum number of sessions a worker should process before reconnect: 10240
                Maximum number of messages per worker: 0
                Skip cert verify: false
        Grpc Connection Status:
                State Ready (3), last err rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR
                Pool state: Ready (2)
                     last update: 2024-01-24 11:25:58.340198656 -0800 PST m=+1198131.920100772
                     last connection retry: 2024-01-23 00:03:36.78141425 -0800 PST m=+1070790.361316421
                     last pool close: 2024-01-22 14:24:26.954340157 -0800 PST m=+1036040.534242289
...
      Verify that the cloud connection status for Security Client AdnsTelemetry(2) and Security Client ADNS(1) are showing active connections.
      CLI output shortened for brevity.
      If you are unable to connect to the Advanced DNS Security cloud service, verify that the Advanced DNS server is not being blocked: dns.service.paloaltonetworks.com.

    © 2024 Palo Alto Networks, Inc. All rights reserved.