Use Case 1: Firewall Requires DNS Resolution for Management Purposes

In this use case, the firewall is the client requesting DNS resolutions of FQDNs for management events such as software update services, dynamic software updates, or WildFire. The shared, global DNS services perform the DNS resolution for the management plane functions.
dns_use1_environ.png
  1. Configure the primary and secondary DNS servers you want the firewall to use for its management DNS resolutions.
    You must manually configure at least one DNS server on the firewall or it won’t be able to resolve hostnames; the firewall cannot use DNS server settings from another source, such as an ISP.
    1. Edit the Services settings (DeviceSetupServicesGlobal for firewalls that support multiple virtual systems; DeviceSetupServices for those that don’t).
    2. On the Services tab, for DNS, select Servers and enter the Primary DNS Server address and Secondary DNS Server address.
    3. Proceed to Step 3.
  2. Alternatively, you can configure a DNS Proxy Object if you want to configure advanced DNS functions such as split DNS, DNS proxy overrides, DNS proxy rules, static entries, or DNS inheritance.
    1. Edit the Services settings (DeviceSetupServicesGlobal for firewalls that support multiple virtual systems; DeviceSetupServices for those that don’t).
    2. On the Services tab, for DNS, select DNS Proxy Object.
    3. From the DNS Proxy drop-down, select the DNS proxy that you want to use to configure global DNS services, or select DNS Proxy to configure a new DNS proxy object as follows:
      1. Enable and then enter a Name for the DNS proxy object.
      2. On firewalls that support multiple virtual systems, for Location, select Shared for global, firewall-wide DNS proxy services.
        Shared DNS proxy objects don’t use DNS server profiles because they don’t require a specific service route belonging to a tenant virtual system.
      3. Enter the Primary DNS server IP address. Optionally enter a Secondary DNS server IP address.
      4. Click OK to save the DNS Proxy object.
  3. For FQDN Refresh Time (sec), enter the number of seconds after which the firewall refreshes an FQDN. The timer starts when the firewall receives a DNS response from the DNS server or DNS proxy object resolving the FQDN.
    • VM-Series—Range is 60 to 14,399; default is 1,800.
    • All other firewall models—Range is 600 to 14,399; default is 1,800.
      The FQDN Refresh Time does not apply to an FQDN used for an IKE VPN peer IP address (on any firewall model). The firewall refreshes an IKE VPN peer IP address configured as an FQDN at the TTL expiration time that the DNS server or DNS proxy object specifies.
  4. Click OK and Commit.

Related Documentation