FQDN Refresh Enhancement

By default, the firewall refreshes FQDNs based on the DNS TTL value for the FQDN as long as the TTL is greater than or equal to the minimum FQDN refresh setting configured or the default setting of 30 seconds.
A DNS record of an FDQN includes a time-to-live (TTL) value and, by default, the firewall now refreshes each FQDN in its cache based on that individual TTL provided by the DNS server—as long as the TTL is greater than or equal to the minimum FQDN refresh setting you configure on the firewall (or greater than or equal to the default setting of 30 seconds if you don’t configure a minimum FQDN refresh setting). Refreshing an FQDN based on its TTL value results in more accurate FQDN resolutions. This is especially helpful for securing access to cloud platform services, which often require frequent FQDN refreshes to ensure that their services are available. For example, cloud environments that support autoscaling depend on FQDN resolutions for dynamically scaling services up and down; fast resolutions of FQDNs are critical in such time-sensitive environments.
You can configure the firewall with a Minimum FQDN Refresh Time to limit how small a TTL value the firewall honors. If your IP addresses don’t change very often, you can set a higher Minimum FQDN Refresh Time so that the firewall doesn’t refresh entries more often than necessary. The firewall uses the higher of the DNS TTL time and the configured Minimum FQDN Refresh Time.
Additionally, you can set a stale-entry timeout to configure how long the firewall continues to use stale (expired) FQDN resolutions in the event of an unreachable DNS Server.
  1. Select DeviceSetupServicesGlobal (omit Global on a firewall without multiple virtual system capability) and edit.
  2. Configure the FQDN timers for the firewall:
    1. Select DNS Servers or DNS Proxy Object.
    2. Enter the Minimum FQDN Refresh Time (sec) in seconds to limit how frequently the firewall will refresh the FQDN cache entries (range is 0 to 14,400; default is 30). A setting of 0 means the firewall will refresh the FQDN based on the TTL value in the DNS record; the firewall doesn’t enforce a minimum FQDN refresh time.
    3. Enter the FQDN Stale Entry Timeout (min) in minutes, which is the length of time that the firewall continues to use stale FQDN resolutions in the event of an unreachable DNS server (range is 0 to 10,080; default is 1,440). A value of 0 means the firewall does not use a stale FQDN entry.
    4. Click OK.
      fqdn_refresh_timers.png
  3. Commit your changes.

Related Documentation