Describes the various Palo Alto NetworksAdvanced DNS Security licensing solutions.
Where Can I Use
This?
What Do I Need?
Prisma Access
NGFW
VM-Series
CN-Series
A Palo Alto NetworksDNS Security subscription; this can include:
Advanced DNS Security Resolver License
Advanced DNS Security License (for enhanced feature
support)
DNS Security License
The Advanced DNS Security and DNS Security licenses also
require the installation of:
Advanced Threat Prevention License
Threat Prevention License
Powered by Precision AI, Palo Alto NetworksDNS Security subscriptions provide essential DNS threat protection. These are
available primarily in two tiers for DNS protection: the standard DNS Security subscription and the more robust Advanced DNS Security subscription. Both
are Cloud-Delivered Security Services (CDSS) that integrate directly with your
Next-Generation Firewalls and Prisma Access.
As a new standalone offering, the Advanced DNS Security Resolver provides a newer, cloud-delivered
offering that shiftsAdvanced DNS Security from a firewall function to a service-based
architecture.
All Advanced DNS Security and DNS Security subscriptions (not including the Advanced DNS Security Resolver) require the installation of a valid Advanced Threat Prevention or Threat Prevention license, as it relies on the subsystems contained within
those subscriptions.
DNS Security—The base subscription provides foundational
protection by checking DNS Requests and identifying malicious domains against a
cloud-based database of known domains.
The DNS Security license is EOS (end-of-sale) and no longer
available.
Advanced DNS Security—Introduced to combat more sophisticated, evasive
threats, this tier includes everything in the standard subscription, but also
uses Precision AI and machine learning to inspect changes in DNS
responses to detect for various types of DNS hijacking in real-time.
Advanced DNS Security Resolver—The Advanced DNS Resolver service provides
cloud-based DNS resolution and inspection capabilities. This service allows you
to forward your internet-bound DNS requests to a secure resolver managed by Palo
Alto Networks, offering both domain-to-IP resolution and protection against
DNS-based threats based on the Advanced DNS Security cloud service.
The Advanced DNS Security Resolver licensing is based on a Per User Per Year (PUPY)
model.
Daily Request Limit: Each user is allocated 5,000 DNS requests
per day.
Usage Alerts: To provide visibility into service usage, the
following occur when usage limits have been exceeded:
Initial Warning: If daily usage exceeds your number of user
licenses, a warning notification is displayed.
Action for Persistent Usage: If elevated usage continues, a
banner indicating the overage will be displayed, and account
team will be notified.
