By default, the firewall refreshes FQDNs based on the
DNS TTL value for the FQDN as long as the TTL is greater than or
equal to the minimum FQDN refresh setting configured or the default
setting of 30 seconds.
A DNS record of an FDQN includes a time-to-live
(TTL) value and, by default, the firewall now refreshes each FQDN
in its cache based on that individual TTL provided by the DNS server—as
long as the TTL is greater than or equal to the minimum FQDN refresh
setting you configure on the firewall (or greater than or equal
to the default setting of 30 seconds if you don’t configure a minimum FQDN
refresh setting). Refreshing an FQDN based on its TTL value results
in more accurate FQDN resolutions. This is especially helpful for
securing access to cloud platform services, which often require
frequent FQDN refreshes to ensure that their services are available.
For example, cloud environments that support autoscaling depend
on FQDN resolutions for dynamically scaling services up and down;
fast resolutions of FQDNs are critical in such time-sensitive environments.
can configure the firewall with a Minimum FQDN Refresh Time to
limit how small a TTL value the firewall honors. If your IP addresses
don’t change very often, you can set a higher Minimum FQDN Refresh
Time so that the firewall doesn’t refresh entries more often than
necessary. The firewall uses the higher of the DNS TTL time and
the configured Minimum FQDN Refresh Time.
can set a stale-entry timeout to configure how long the firewall
continues to use stale (expired) FQDN resolutions in the event of
an unreachable DNS Server.
Global on a firewall without multiple virtual system capability)
Configure the FQDN timers for the firewall:
Minimum FQDN Refresh Time (sec)
seconds to limit how frequently the firewall will refresh the FQDN
cache entries (range is 0 to 14,400; default is 30). A setting of
0 means the firewall will refresh the FQDN based on the TTL value
in the DNS record; the firewall doesn’t enforce a minimum FQDN refresh
FQDN Stale Entry Timeout (min)
minutes, which is the length of time that the firewall continues
to use stale FQDN resolutions in the event of an unreachable DNS server
(range is 0 to 10,080; default is 1,440). A value of 0 means the
firewall does not use a stale FQDN entry.