Advanced DNS Security Powered by Precision AI™
Test Connectivity to the DNS Security Cloud Services
Table of Contents
Test Connectivity to the DNS Security Cloud Services
Where Can I Use This? | What Do I Need? |
---|---|
|
|
DNS Security
Verify your firewall connectivity to the DNS Security service. If you cannot
reach the service, verify that the following domain is not being blocked:
dns.service.paloaltonetworks.com.
- Access the firewall CLI.Use the following CLI command to verify your firewall’s connection availability to the DNS Security service.
show dns-proxy dns-signature info
For example:show dns-proxy dns-signture info Cloud URL: dns.service.paloaltonetworks.com:443 Telemetry URL: io.dns.service.paloaltonetworks.com:443 Last Result: None Last Server Address: Parameter Exchange: Interval 300 sec Allow List Refresh: Interval 43200 sec Request Waiting Transmission: 0 Request Pending Response: 0 Cache Size: 0
If your firewall has an active connection to the DNS Security service, the server details display in the response output.Retrieve a specified domain’s transaction details, such as latency, TTL, and the signature category.Use the following CLI command on the firewall to review the details about a domain:test dns-proxy dns-signature fqdn
For example:test dns-proxy dns-signature fqdn www.yahoo.com DNS Signature Query [ www.yahoo.com ] Completed in 178 ms DNS Signature Response Entries: 2 Domain Category GTID TTL ------------------------------------------------------------------------------------------------- *.yahoo.com Benign 0 86400 www.yahoo.com Benign 0 3600
Advanced DNS Security
Verify your firewall connectivity to the Advanced DNS Security service. If you cannot reach the service, verify that the following domain is not being blocked: adv-dns.service.paloaltonetworks.com. If you have manually configured a regional Advanced DNS Security server, you may need to verify the specific regional domain is also unblocked.- Verify the status of your firewall connectivity to the Advanced DNS Security cloud service.Use the following CLI command on the firewall to view the connection status.
show ctd-agent status security-client
For example:show ctd-agent status security-client ... Security Client ADNS(1) Current cloud server: qa.adv-dns.service.paloaltonetworks.com:443 Cloud connection: connected Config: Number of gRPC connections: 2, Number of workers: 8 Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306 Maximum number of workers: 12 Maximum number of sessions a worker should process before reconnect: 10240 Maximum number of messages per worker: 0 Skip cert verify: false Grpc Connection Status: State Ready (3), last err rpc error: code = Unavailable desc = unexpected HTTP status code received from server: 502 (Bad Gateway); transport: received unexpected content-type "text/html" Pool state: Ready (2) last update: 2024-01-24 11:15:00.549591469 -0800 PST m=+1197474.129493596 last connection retry: 2024-01-23 00:03:09.093756623 -0800 PST m=+1070762.673658768 last pool close: 2024-01-22 14:15:50.36062031 -0800 PST m=+1035523.940522446 Security Client AdnsTelemetry(2) Current cloud server: io-qa.adv-dns.service.paloaltonetworks.com:443 Cloud connection: connected Config: Number of gRPC connections: 2, Number of workers: 8 Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306 Maximum number of workers: 12 Maximum number of sessions a worker should process before reconnect: 10240 Maximum number of messages per worker: 0 Skip cert verify: false Grpc Connection Status: State Ready (3), last err rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR Pool state: Ready (2) last update: 2024-01-24 11:25:58.340198656 -0800 PST m=+1198131.920100772 last connection retry: 2024-01-23 00:03:36.78141425 -0800 PST m=+1070790.361316421 last pool close: 2024-01-22 14:24:26.954340157 -0800 PST m=+1036040.534242289 ...
Verify that the cloud connection status for Security Client AdnsTelemetry(2) and Security Client ADNS(1) are showing active connections.CLI output shortened for brevity.If you are unable to connect to the Advanced DNS Security cloud service, verify that the Advanced DNS server is not being blocked: dns.service.paloaltonetworks.com.