Use Case 1: Firewall Requires DNS Resolution for Management Purposes

In this use case, the firewall is the client requesting DNS resolutions of FQDNs for management events such as software update services, dynamic software updates, or WildFire. The shared, global DNS services perform the DNS resolution for the management plane functions.
dns_use1_environ.png
  1. Configure the primary and secondary DNS servers you want the firewall to use for its management DNS resolutions.
    You must manually configure at least one DNS server on the firewall or it won’t be able to resolve hostnames; the firewall cannot use DNS server settings from another source, such as an ISP.
    1. Edit the Services settings (
      Device
      Setup
      Services
      Global
      for firewalls that support multiple virtual systems;
      Device
      Setup
      Services
      for those that don’t).
    2. On the
      Services
      tab, for
      DNS
      , select
      Servers
      and enter the
      Primary DNS Server
      address and
      Secondary DNS Server
      address.
    3. Proceed to Step 3.
  2. Alternatively, you can configure a DNS Proxy Object if you want to configure advanced DNS functions such as split DNS, DNS proxy overrides, DNS proxy rules, static entries, or DNS inheritance.
    1. Edit the Services settings (
      Device
      Setup
      Services
      Global
      for firewalls that support multiple virtual systems;
      Device
      Setup
      Services
      for those that don’t).
    2. On the
      Services
      tab, for
      DNS
      , select
      DNS Proxy Object
      .
    3. From the
      DNS Proxy
      drop-down, select the DNS proxy that you want to use to configure global DNS services, or select
      DNS Proxy
      to configure a new DNS proxy object as follows:
      1. Enable
        and then enter a
        Name
        for the DNS proxy object.
      2. On firewalls that support multiple virtual systems, for
        Location
        , select
        Shared
        for global, firewall-wide DNS proxy services.
        Shared DNS proxy objects don’t use DNS server profiles because they don’t require a specific service route belonging to a tenant virtual system.
      3. Enter the
        Primary
        DNS server IP address. Optionally enter a
        Secondary
        DNS server IP address.
      4. Click
        OK
        to save the DNS Proxy object.
  3. For
    FQDN Refresh Time (sec)
    , enter the number of seconds after which the firewall refreshes an FQDN. The timer starts when the firewall receives a DNS response from the DNS server or DNS proxy object resolving the FQDN.
    • VM-Series
      —Range is 60 to 14,399; default is 1,800.
    • All other firewall models
      —Range is 600 to 14,399; default is 1,800.
      The FQDN Refresh Time does not apply to an FQDN used for an IKE VPN peer IP address (on any firewall model). The firewall refreshes an IKE VPN peer IP address configured as an FQDN at the TTL expiration time that the DNS server or DNS proxy object specifies.
  4. Click
    OK
    and
    Commit
    .

Related Documentation