Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for
Security Policies, Reporting, and Services within its Virtual System
In this use case, multiple tenants (ISP subscribers)
are defined on the firewall and each tenant is allocated a separate
virtual system (vsys) and virtual router in order to segment its
services and administrative domains. The following figure illustrates
several virtual systems within a firewall.
has its own server profiles for Security policy rules, reporting,
and management services (such as email, Kerberos, SNMP, syslog,
and more) defined in its own networks.
For the DNS resolutions
initiated by these services, each virtual system is configured with
its own DNS Proxy Object to
allow each tenant to customize how DNS resolution is handled within
its virtual system. Any service with a
use the DNS Proxy object configured for the virtual system to determine
the primary (or secondary) DNS server to resolve FQDNs, as illustrated
in the following figure.
For each virtual system, specify the DNS Proxy
the virtual system (range is 1-255), and an optional
in this example, Corp1 Corporation.
or create a new one. In this
example, Corp1 DNS Proxy is selected as the proxy for Corp1 Corporation’s
In this example, Ethernet1/20 is dedicated to this tenant.
A virtual router named Corp1 VR is assigned to the virtual system
in order to separate routing functions.
Configure a DNS Proxy and a server profile to support
DNS resolution for a virtual system.
and enter a
the DNS Proxy.
, select the virtual
system of the tenant, in this example, Corp1 Corporation (vsys6).
(You could choose the
DNS Proxy resource
or create a profile to customize DNS servers to use for DNS resolutions
for this tenant’s security policy, reporting, and server profile
DNS server profile identifies the IP addresses of the primary and secondary
DNS server to use for management DNS resolutions for this virtual system.
Also for this server profile, optionally configure
Service Route IPv4
to instruct the firewall which
to use in its DNS requests. If that interface
has more than one IP address, configure the
is enabled and
is enabled (both are enabled by default).
This is required if the DNS proxy object is used under
Optional advanced features such as split
DNS can be configured using
DNS Proxy Rules
A separate DNS server profile can be used to redirect DNS resolutions
to another set of DNS servers, if required.
Use Case 3 illustrates split DNS.
If you use two separate
DNS server profiles in the same DNS Proxy object, one for the DNS
Proxy and one for the DNS proxy rule, the following behaviors occur:
If a service route is defined in the DNS server profile used by
the DNS Proxy, it takes precedence and is used.
If a service route is defined in the DNS server profile used
in the DNS proxy rules, it is not used. If the service route differs
from the one defined in the DNS server profile used by the DNS Proxy,
the following warning message is displayed during the
Warning: The DNS service route defined in the DNS proxy object is different from the DNS proxy rule’s service route. Using the DNS proxy object’s service route.
If no service route is defined in any DNS server profile,
the global service route is used if needed.