End-of-Life (EoL)

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

In this use case, multiple tenants (ISP subscribers) are defined on the firewall and each tenant is allocated a separate virtual system (vsys) and virtual router in order to segment its services and administrative domains. The following figure illustrates several virtual systems within a firewall.
Each tenant has its own server profiles for Security policy rules, reporting, and management services (such as email, Kerberos, SNMP, syslog, and more) defined in its own networks.
For the DNS resolutions initiated by these services, each virtual system is configured with its own DNS Proxy Object to allow each tenant to customize how DNS resolution is handled within its virtual system. Any service with a
will use the DNS Proxy object configured for the virtual system to determine the primary (or secondary) DNS server to resolve FQDNs, as illustrated in the following figure.
  1. For each virtual system, specify the DNS Proxy to use.
    1. Select
      Virtual Systems
      and click
    2. Enter the
      of the virtual system (range is 1-255), and an optional
      , in this example, Corp1 Corporation.
    3. On the
      tab, choose a
      DNS Proxy
      or create a new one.
    4. For
      , click
      . In this example, Ethernet1/20 is dedicated to this tenant.
    5. For
      Virtual Routers
      , click
      . A virtual router is assigned to the virtual system in order to separate routing functions.
    6. Click
      to save the configuration.
  2. Configure a DNS Proxy and a server profile to support DNS resolution for a virtual system.
    1. Select
      DNS Proxy
      and click
    2. Click
      and enter a
      for the DNS Proxy.
    3. For
      , select the virtual system of the tenant. (You could choose the
      DNS Proxy resource instead.)
    4. For
      Server Profile
      , choose or create a profile to customize DNS servers to use for DNS resolutions for this tenant’s security policy, reporting, and server profile services.
      If the profile is not already configured, in the
      Server Profile
      field, click
      DNS Server Profile
      to Configure a DNS Server Profile.
      The DNS server profile identifies the IP addresses of the primary and secondary DNS server to use for management DNS resolutions for this virtual system.
    5. Also for this server profile, optionally configure a
      Service Route IPv4
      and/or a
      Service Route IPv6
      to instruct the firewall which
      Source Interface
      to use in its DNS requests. If that interface has more than one IP address, configure the
      Source Address
    6. Click
      to save the DNS Server Profile.
    7. Click
      to save the DNS Proxy.
      Optional advanced features such as split DNS can be configured using
      DNS Proxy Rules
      . A separate DNS server profile can be used to redirect DNS resolutions matching the
      Domain Name
      in a
      DNS Proxy Rule
      to another set of DNS servers, if required. Use Case 3 illustrates split DNS.
      If you use two separate DNS server profiles in the same DNS Proxy object, one for the DNS Proxy and one for the DNS proxy rule, the following behaviors occur:
      • If a service route is defined in the DNS server profile used by the DNS Proxy, it takes precedence and is used.
      • If a service route is defined in the DNS server profile used in the DNS proxy rules, it is not used. If the service route differs from the one defined in the DNS server profile used by the DNS Proxy, the following warning message is displayed during the
      Warning:The DNS service route defined in the DNS proxy object is differentfrom the DNS proxy rule’s service route. Using the DNS proxy object’sservice route.
      • If no service route is defined in any DNS server profile, the global service route is used if needed.

Recommended For You