Bypass DNS Security Subscriptions Services
Focus
Focus
Advanced DNS Security Powered by Precision AI™

Bypass DNS Security

Table of Contents

Bypass DNS Security Subscriptions Services

Where Can I Use This?
What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced DNS Security License (for enhanced feature support) or DNS Security License
  • Advanced Threat Prevention or Threat Prevention License
DNS Security queries can be bypassed in cases where latency issues or other network issues are present.
In cases where false-positives occur, Palo Alto Networks recommends creating specific exceptions instead of bypassing DNS Security queries.

Bypass DNS Security Subscriptions Services (
Strata Cloud Manager
)

  1. Use the credentials associated with your Palo Alto Networks support account and log in to the
    Strata Cloud Manager
    on the hub.
  2. Go to
    Manage
    Configuration
    NGFW and
    Prisma Access
    Security Services
    DNS Security
    and select the relevant DNS Security profile.
  3. Configure the DNS Security signature policy settings to bypass DNS Security queries. For each DNS category, set the
    Action
    to
    allow
    and
    Packet Capture
    to
    disabled
    . In the following, the DNS Security categories have been configured to bypass DNS Security queries.
  4. In the
    Overrides
    section, verify that there are no entries present; if necessary, delete all
    Domain/FQDN
    overrides.
  5. Click
    OK
    to save the DNS Security profile.

Bypass DNS Security Subscriptions Services (
NGFW (Managed by PAN-OS or Panorama)
)

PAN-OS 10.0 and later supports individually configurable DNS signature sources, which enables you to define separate policy actions as well as a log severity level for a given signature source. This requires you to configure both the policy action and the log severity for each available DNS signature source to bypass DNS Security. Additionally, you must also remove the DNS exceptions entries for the DNS Security to be fully bypassed. On PAN-OS 9.1, you can simply set the policy action for Palo Alto Networks DNS Security to an action of allow.

Bypass DNS Security Subscriptions Services (PAN-OS 10.0 and later)

  1. Configure the DNS Security signature policy settings to bypass DNS Security queries.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Select the profile containing your active DNS Security policy settings.
    3. Select the
      DNS Policies
      tab.
    4. For each DNS category, set the log severity to
      none
      , the policy action to
      allow
      , and packet capture to
      disable
      . In the following, the DNS Security categories have been configured to bypass DNS Security queries.
  2. Select
    DNS Exceptions
    and remove all
    DNS Domain/FQDN Allow List
    entries.
  3. Click
    OK
    to save the Anti-Spyware profile.

Bypass DNS Security Subscriptions Services (PAN-OS 9.1)

  1. Configure DNS Security signature policy settings to bypass DNS Security look-ups.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Select the profile containing your active DNS Security policy settings.
    3. Select the
      DNS Signatures
      tab.
    4. Under
      Policies & Settings
      , set the policy action for
      Palo Alto Networks DNS Security
      to an action of
      allow
      .
  2. Click
    OK
    to save the Anti-Spyware profile.

Recommended For You