Mobile Users with Prisma® Access Agents might need to disconnect the agent app due to various issues, such as connectivity or performance problems, customer site restrictions, or when accessing sanctioned applications directly. This creates security gaps due to the lack of security inspection for internet or Software as a Service (SaaS) traffic. Advanced DNS Security Resolver addresses this challenge by providing DNS security for Prisma Access Agent users whenever the user is disconnected from Prisma Access Agent, ensuring security protections remain in place at all times.

When you enable Advanced DNS Security Resolver for Prisma Access Agents, the agent routes DNS traffic to Palo Alto Networks DNS resolvers over HTTPS (DoH) whenever the primary tunnel connection is disconnected. The feature intercepts DNS queries and forwards them through encrypted connections, ensuring visibility and control over DNS requests even when users disconnect from the tunnel. The service supports user-authenticated modes, with long-lived device tokens valid for up to six months.

With this feature, forwarding of traffic to Advanced DNS Security Resolver relies on the same forwarding profiles the agent receives, giving you full control over what DNS traffic is resolved through Advanced DNS Security Resolver and what is allowed to go direct. The feature provides threat protection by blocking malicious domains using DNS Security for DNS requests, and user-specific, administrator-configured DNS Security policies you add to Advanced DNS Security Resolver. You can deploy Advanced DNS Security Resolver for Prisma Access Agent as a fallback mechanism that activates when primary tunnel connections are disrupted.