DNS Security Administration
  • DNS Security Administration
  • Advanced DNS Security Powered by Precision AI® Documentation
  • All Documentation
>
Bypass DNS Security Subscriptions Services
Focus
Download PDF
Focus
  1. Home
  2. Advanced DNS Security Powered by Precision AI®
  3. Configure DNS Security Subscription Services
  4. Bypass DNS Security Subscriptions Services
Download PDF
Advanced DNS Security Powered by Precision AI®

Bypass DNS Security Subscriptions Services

Table of Contents

Bypass DNS Security Subscriptions Services

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced DNS Security License (for enhanced feature support) or DNS Security License
  • Advanced Threat Prevention or Threat Prevention License
DNS Security queries can be bypassed in cases where latency issues or other network issues are present.
In cases where false-positives occur, Palo Alto Networks recommends creating specific exceptions instead of bypassing DNS Security queries.

Bypass DNS Security Subscriptions Services (Strata Cloud Manager)

  1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
  2. Go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesDNS Security and select the relevant DNS Security profile.
  3. Configure the DNS Security signature policy settings to bypass DNS Security queries. For each DNS category, set the Action to allow and Packet Capture to disabled. In the following, the DNS Security categories have been configured to bypass DNS Security queries.
  4. In the Overrides section, verify that there are no entries present; if necessary, delete all Domain/FQDN overrides.
  5. Click OK to save the DNS Security profile.

Bypass DNS Security Subscriptions Services (NGFW (Managed by PAN-OS or Panorama))

PAN-OS 10.0 and later supports individually configurable DNS signature sources, which enables you to define separate policy actions as well as a log severity level for a given signature source. This requires you to configure both the policy action and the log severity for each available DNS signature source to bypass DNS Security. Additionally, you must also remove the DNS exceptions entries for the DNS Security to be fully bypassed. On PAN-OS 9.1, you can simply set the policy action for Palo Alto Networks DNS Security to an action of allow.

Bypass DNS Security Subscriptions Services (PAN-OS 10.0 and later)

  1. Log in to the NGFW.
  2. Configure the DNS Security signature policy settings to bypass DNS Security queries.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Select the profile containing your active DNS Security policy settings.
    3. Select the DNS Policies tab.
    4. For each DNS category, set the log severity to none, the policy action to allow, and packet capture to disable. In the following, the DNS Security categories have been configured to bypass DNS Security queries.
  3. Select DNS Exceptions and remove all DNS Domain/FQDN Allow List entries.
  4. Click OK to save the Anti-Spyware profile.

Bypass DNS Security Subscriptions Services (PAN-OS 9.1)

  1. Log in to the NGFW.
  2. Configure DNS Security signature policy settings to bypass DNS Security look-ups.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Select the profile containing your active DNS Security policy settings.
    3. Select the DNS Signatures tab.
    4. Under Policies & Settings, set the policy action for Palo Alto Networks DNS Security to an action of allow.
  3. Click OK to save the Anti-Spyware profile.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.