>
    Bypass DNS Security
    Focus
    Download PDF
    Focus
    1. Home
    2. DNS Security
    3. Configure DNS Security
    4. Bypass DNS Security
    Download PDF
    DNS Security

    Bypass DNS Security

    Table of Contents

    Bypass DNS Security

    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Cloud Management)
    • Prisma Access (Panorama Managed)
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS or Panorama Managed)
    • VM-Series
    • CN-Series Firewall
    • DNS Security License
    • Advanced Threat Prevention or Threat Prevention License
    DNS Security queries can be bypassed in cases where latency issues or other network issues are present.
    In cases where false-positives occur, Palo Alto Networks recommends creating specific exceptions instead of bypassing DNS Security queries.

    Cloud Management

    1. Use the credentials associated with your Palo Alto Networks support account and log in to the
      Strata Cloud Manager
       on the hub.
    2. Go to
      Manage
      Configuration
      NGFW and
      Prisma Access
      Security Services
      DNS Security
       and select the relevant DNS Security profile.
    3. Configure the DNS Security signature policy settings to bypass DNS Security queries. For each DNS category, set the
      Action
       to
      allow
       and
      Packet Capture
       to
      disabled
      . In the following, the DNS Security categories have been configured to bypass DNS Security queries.
    4. In the
      Overrides
       section, verify that there are no entries present; if necessary, delete all
      Domain/FQDN
       overrides.
    5. Click
      OK
       to save the DNS Security profile.

    PAN-OS & Panorama

    PAN-OS 10.0 and later supports individually configurable DNS signature sources, which enables you to define separate policy actions as well as a log severity level for a given signature source. This requires you to configure both the policy action and the log severity for each available DNS signature source to bypass DNS Security. Additionally, you must also remove the DNS exceptions entries for the DNS Security to be fully bypassed. On PAN-OS 9.1, you can simply set the policy action for Palo Alto Networks DNS Security to an action of allow.

    PAN-OS 10.0 and later

    2. Configure the DNS Security signature policy settings to bypass DNS Security queries.
      1. Select
        Objects
        Security Profiles
        Anti-Spyware
        .
      2. Select the profile containing your active DNS Security policy settings.
      3. Select the
        DNS Policies
         tab.
      4. For each DNS category, set the log severity to
        none
        , the policy action to
        allow
        , and packet capture to
        disable
        . In the following, the DNS Security categories have been configured to bypass DNS Security queries.
    3. Select
      DNS Exceptions
       and remove all
      DNS Domain/FQDN Allow List
       entries.
    4. Click
      OK
       to save the Anti-Spyware profile.

    PAN-OS 9.1

    2. Configure DNS Security signature policy settings to bypass DNS Security look-ups.
      1. Select
        Objects
        Security Profiles
        Anti-Spyware
        .
      2. Select the profile containing your active DNS Security policy settings.
      3. Select the
        DNS Signatures
         tab.
      4. Under
        Policies & Settings
        , set the policy action for
        Palo Alto Networks DNS Security
         to an action of
        allow
        .
    3. Click
      OK
       to save the Anti-Spyware profile.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.