Test Connectivity to the DNS Security Cloud Services
Focus
Focus
Advanced DNS Security Powered by Precision AI™

Test Connectivity to the DNS Security Cloud Services

Table of Contents

Test Connectivity to the DNS Security Cloud Services

Where Can I Use This?What Do I Need?
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced DNS Security License (for enhanced feature support) or DNS Security License
  • Advanced Threat Prevention or Threat Prevention License

DNS Security

Verify your firewall connectivity to the DNS Security service. If you cannot reach the service, verify that the following domain is not being blocked: dns.service.paloaltonetworks.com.
  1. Access the firewall CLI.
  2. Use the following CLI command to verify your firewall’s connection availability to the DNS Security service.
    show dns-proxy dns-signature info
    For example:
    show dns-proxy dns-signture info
    
    Cloud URL: dns.service.paloaltonetworks.com:443
    
    Telemetry URL: io.dns.service.paloaltonetworks.com:443
    
    Last Result: None
    
    Last Server Address:
    
    Parameter Exchange: Interval 300 sec
    
    Allow List Refresh: Interval 43200 sec
    
    Request Waiting Transmission: 0
    
    Request Pending Response: 0
    
    Cache Size: 0
    
    If your firewall has an active connection to the DNS Security service, the server details display in the response output.
  3. Retrieve a specified domain’s transaction details, such as latency, TTL, and the signature category.
    Use the following CLI command on the firewall to review the details about a domain:
    test dns-proxy dns-signature fqdn 
    For example:
    test dns-proxy dns-signature fqdn www.yahoo.com
    
    DNS Signature Query [ www.yahoo.com ]
    
    Completed in 178 ms
    
    DNS Signature Response
    
    Entries: 2
    
    Domain                             Category        GTID                 TTL
    -------------------------------------------------------------------------------------------------
    *.yahoo.com                        Benign          0                    86400
      www.yahoo.com                    Benign          0                    3600

Advanced DNS Security

Verify your firewall connectivity to the Advanced DNS Security service. If you cannot reach the service, verify that the following domain is not being blocked: adv-dns.service.paloaltonetworks.com. If you have manually configured a regional Advanced DNS Security server, you may need to verify the specific regional domain is also unblocked.
  1. Verify the status of your firewall connectivity to the Advanced DNS Security cloud service.
    Use the following CLI command on the firewall to view the connection status.
    show ctd-agent status security-client 
    For example:
    show ctd-agent status security-client
    
    ...
    Security Client ADNS(1)
            Current cloud server:   qa.adv-dns.service.paloaltonetworks.com:443
            Cloud connection:       connected
            Config:
                    Number of gRPC connections: 2, Number of workers: 8
                    Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306
                    Maximum number of workers: 12
                    Maximum number of sessions a worker should process before reconnect: 10240
                    Maximum number of messages per worker: 0
                    Skip cert verify: false
            Grpc Connection Status:
                    State Ready (3), last err rpc error: code = Unavailable desc = unexpected HTTP status code received from server: 502 (Bad Gateway); transport: received unexpected content-type "text/html"
                    Pool state: Ready (2)
                         last update: 2024-01-24 11:15:00.549591469 -0800 PST m=+1197474.129493596
                         last connection retry: 2024-01-23 00:03:09.093756623 -0800 PST m=+1070762.673658768
                         last pool close: 2024-01-22 14:15:50.36062031 -0800 PST m=+1035523.940522446
    Security Client AdnsTelemetry(2)
            Current cloud server:   io-qa.adv-dns.service.paloaltonetworks.com:443
            Cloud connection:       connected
            Config:
                    Number of gRPC connections: 2, Number of workers: 8
                    Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306
                    Maximum number of workers: 12
                    Maximum number of sessions a worker should process before reconnect: 10240
                    Maximum number of messages per worker: 0
                    Skip cert verify: false
            Grpc Connection Status:
                    State Ready (3), last err rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR
                    Pool state: Ready (2)
                         last update: 2024-01-24 11:25:58.340198656 -0800 PST m=+1198131.920100772
                         last connection retry: 2024-01-23 00:03:36.78141425 -0800 PST m=+1070790.361316421
                         last pool close: 2024-01-22 14:24:26.954340157 -0800 PST m=+1036040.534242289
    ...
    Verify that the cloud connection status for Security Client AdnsTelemetry(2) and Security Client ADNS(1) are showing active connections.
    CLI output shortened for brevity.
    If you are unable to connect to the Advanced DNS Security cloud service, verify that the Advanced DNS server is not being blocked: dns.service.paloaltonetworks.com.