Advanced DNS Security Prerequisites

• DNS Security
  • Minimum PAN-OS version: PAN-OS 9.0 and later.
  • An active Advanced Threat Prevention or Threat Prevention License must be present on the device where the DNS Security license is located.
• Advanced DNS Security
  • Minimum PAN-OS version: PAN-OS 11.2 and later. Operating an earlier version will only allow base DNS Security features to function.
  • While all features of the base DNS Security features are included with the Advanced DNS Security license, it is delivered through the base DNS Security license; as such, both licenses appear in the PAN-OS license list. In the case of Prisma Access, it is generally included as part of the Prisma Access bundle and shows as a single entry under Security Services: DNS Security.
    The DNS Security license requirement for an active Advanced Threat Prevention or Threat Prevention License is carried over to Advanced DNS Security due to the presence of the base license.
• Advanced DNS Security Resolver—As the Advanced DNS Security Resolver service sends all its logs to Palo Alto Networks cloud-based logging service, the tenant where you activate the license must be configured to use Strata Logging Service (formerly Cortex Data Lake). As this is a functional requirement, the Advanced DNS Security Resolver service includes SLS with 1 yr log retention.
  As a standalone service, the Advanced DNS Security Resolver does not require any other Palo Alto Networks services (e.g. CDSS subscriptions, NGFW, SASE, etc) for operation. However, it does provide integration with Prisma Access Agent, a next-generation endpoint client that enables secure connectivity and consistent security policies for hybrid, remote, and on-premises users.