Configure Lookup Timeout
Focus
Focus
DNS Security

Configure Lookup Timeout

Table of Contents

Configure Lookup Timeout

Where Can I Use This?
What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
  • VM-Series
  • CN-Series Firewall
  • DNS Security License
  • Advanced Threat Prevention or Threat Prevention License
If the firewall is unable to retrieve a signature verdict in the allotted time due to connectivity issues, the request, including all subsequent DNS responses, are passed through. You can check the average latency to verify that requests fall within the configured period. If the average latency exceeds the configured period, consider updating the setting to a value that is higher than the average latency to prevent requests from timing out.
  1. In the CLI, issue the following command to view the average latency.
    show dns-proxy dns-signature counters
    The default timeout is 100 milliseconds.
  2. Scroll down through the output to the latency section under the Signature query API heading and verify that the average latency falls within the defined timeout period. This latency indicates the amount of time it takes, on average, to retrieve a signature verdict from the DNS security service. Additional latency statistics for various latency periods can be found below the averages.
    Signature query API: . . . [latency ] : max 1870 (ms) min 16(ms) avg 27(ms) 50 or less : 47246 100 or less : 113 200 or less : 25 400 or less : 15 else : 21
  3. If the average latency is consistency above the default timeout value, you can raise the setting so that the requests fall within a given period. Select
    Device > Content-ID
    and update the
    Realtime Signature Lookup
    setting.
  4. Commit the changes.

Recommended For You