Test Connectivity to the DNS Security Cloud Services
Focus
Focus
Advanced DNS Security

Test Connectivity to the DNS Security Service

Table of Contents

Test Connectivity to the DNS Security Cloud Services

Where Can I Use This?
What Do I Need?
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced DNS Security License (for enhanced feature support) or DNS Security License
  • Advanced Threat Prevention or Threat Prevention License

DNS Security

Verify your firewall connectivity to the DNS Security service. If you cannot reach the service, verify that the following domain is not being blocked: dns.service.paloaltonetworks.com.
  1. Access the firewall CLI.
  2. Use the following CLI command to verify your firewall’s connection availability to the DNS Security service.
    show dns-proxy dns-signature info
    For example:
    show dns-proxy dns-signture info Cloud URL: dns.service.paloaltonetworks.com:443 Telemetry URL: io.dns.service.paloaltonetworks.com:443 Last Result: None Last Server Address: Parameter Exchange: Interval 300 sec Allow List Refresh: Interval 43200 sec Request Waiting Transmission: 0 Request Pending Response: 0 Cache Size: 0
    If your firewall has an active connection to the DNS Security service, the server details display in the response output.
  3. Retrieve a specified domain’s transaction details, such as latency, TTL, and the signature category.
    Use the following CLI command on the firewall to review the details about a domain:
    test dns-proxy dns-signature fqdn
    For example:
    test dns-proxy dns-signature fqdn www.yahoo.com DNS Signature Query [ www.yahoo.com ] Completed in 178 ms DNS Signature Response Entries: 2 Domain Category GTID TTL ------------------------------------------------------------------------------------------------- *.yahoo.com Benign 0 86400 www.yahoo.com Benign 0 3600

Advanced DNS Security

Verify your firewall connectivity to the Advanced DNS Security service. If you cannot reach the service, verify that the following domain is not being blocked: adv-dns.service.paloaltonetworks.com. If you have manually configured a regional Advanced DNS Security server, you may need to verify the specific regional domain is also unblocked.
  1. Verify the status of your firewall connectivity to the Advanced DNS Security cloud service.
    Use the following CLI command on the firewall to view the connection status.
    show ctd-agent status security-client
    For example:
    show ctd-agent status security-client ... Security Client ADNS(1) Current cloud server: qa.adv-dns.service.paloaltonetworks.com:443 Cloud connection: connected Config: Number of gRPC connections: 2, Number of workers: 8 Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306 Maximum number of workers: 12 Maximum number of sessions a worker should process before reconnect: 10240 Maximum number of messages per worker: 0 Skip cert verify: false Grpc Connection Status: State Ready (3), last err rpc error: code = Unavailable desc = unexpected HTTP status code received from server: 502 (Bad Gateway); transport: received unexpected content-type "text/html" Pool state: Ready (2) last update: 2024-01-24 11:15:00.549591469 -0800 PST m=+1197474.129493596 last connection retry: 2024-01-23 00:03:09.093756623 -0800 PST m=+1070762.673658768 last pool close: 2024-01-22 14:15:50.36062031 -0800 PST m=+1035523.940522446 Security Client AdnsTelemetry(2) Current cloud server: io-qa.adv-dns.service.paloaltonetworks.com:443 Cloud connection: connected Config: Number of gRPC connections: 2, Number of workers: 8 Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306 Maximum number of workers: 12 Maximum number of sessions a worker should process before reconnect: 10240 Maximum number of messages per worker: 0 Skip cert verify: false Grpc Connection Status: State Ready (3), last err rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR Pool state: Ready (2) last update: 2024-01-24 11:25:58.340198656 -0800 PST m=+1198131.920100772 last connection retry: 2024-01-23 00:03:36.78141425 -0800 PST m=+1070790.361316421 last pool close: 2024-01-22 14:24:26.954340157 -0800 PST m=+1036040.534242289 ...
    Verify that the cloud connection status for
    Security Client AdnsTelemetry(2)
    and
    Security Client ADNS(1)
    are showing active connections.
    CLI output shortened for brevity.
    If you are unable to connect to the Advanced DNS Security cloud service, verify that the Advanced DNS server is not being blocked: dns.service.paloaltonetworks.com.

Recommended For You