FQDN Refresh Enhancement
By default, the firewall refreshes FQDNs based on the DNS TTL value for the FQDN as long as the TTL is greater than or equal to the minimum FQDN refresh setting configured or the default setting of 30 seconds.
A DNS record of an FDQN includes a time-to-live (TTL) value and, by default, the firewall now refreshes each FQDN in its cache based on that individual TTL provided by the DNS server—as long as the TTL is greater than or equal to the minimum FQDN refresh setting you configure on the firewall (or greater than or equal to the default setting of 30 seconds if you don’t configure a minimum FQDN refresh setting). Refreshing an FQDN based on its TTL value results in more accurate FQDN resolutions. This is especially helpful for securing access to cloud platform services, which often require frequent FQDN refreshes to ensure that their services are available. For example, cloud environments that support autoscaling depend on FQDN resolutions for dynamically scaling services up and down; fast resolutions of FQDNs are critical in such time-sensitive environments.
You can configure the firewall with a Minimum FQDN Refresh Time to limit how small a TTL value the firewall honors. If your IP addresses don’t change very often, you can set a higher Minimum FQDN Refresh Time so that the firewall doesn’t refresh entries more often than necessary. The firewall uses the higher of the DNS TTL time and the configured Minimum FQDN Refresh Time.
Additionally, you can set a stale-entry timeout to configure how long the firewall continues to use stale (expired) FQDN resolutions in the event of an unreachable DNS Server.
- Select DeviceSetupServicesGlobal (omit Global on a firewall without multiple virtual system capability) and edit.
- Configure the FQDN timers for the firewall:
- Select DNS Servers or DNS Proxy Object.
- Enter the Minimum FQDN Refresh Time (sec) in seconds to limit how frequently the firewall will refresh the FQDN cache entries (range is 0 to 14,400; default is 30). A setting of 0 means the firewall will refresh the FQDN based on the TTL value in the DNS record; the firewall doesn’t enforce a minimum FQDN refresh time.
- Enter the FQDN Stale Entry Timeout (min) in minutes, which is the length of time that the firewall continues to use stale FQDN resolutions in the event of an unreachable DNS server (range is 0 to 10,080; default is 1,440). A value of 0 means the firewall does not use a stale FQDN entry.
- Click OK.
- Commit your changes.
Use Case 1: Firewall Requires DNS Resolution
Use Case 1: Firewall Requires DNS Resolution In this use case, the firewall is the client requesting DNS resolutions of FQDNs for Security policy rules, ...
DNS Overview DNS performs a crucial role in enabling user access to network resources so that users need not remember IP addresses and individual computers ...
Global Services Settings
Global Services Settings Device > Setup > Services To control and redirect DNS queries between shared and specific virtual systems, you can use a DNS ...
Create an Address Object
Create an address object to group IP addresses or specify an FQDN, and then reference the address object in a firewall policy rule, filter, or ...
Objects > Addresses
Objects > Addresses An address object can include either IPv4 or IPv6 addresses (a single IP address, a range of addresses, or a subnet), an ...
Configure Dynamic DNS for Firewall Interfaces
Configure the firewall to use a DDNS service to update your changing domain name-to-IP address mappings so it provides accurate IP address resolutions to its ...
Configure a DNS Proxy Object
Configure a DNS Proxy Object If your firewall is to act as a DNS proxy, perform this task to configure a DNS Proxy Object . ...