DNS Security "sinkhole" Action Is Overwritten Upon Upgrade to PAN-OS 10.0
12053
Created On 05/11/20 22:55 PM - Last Modified 09/08/21 00:11 AM
Symptom
- DNS Security configured with 'Sinkhole" Action on Firewall running PAN-OS 9.1
- After upgrading to PAN-OS 10.0 DNS Security stops working
Environment
- Palo Alto Firewall with DNS Security License
- Configured DNS Security with Actions set to Sinkhole
- Upgrade of Firewalls from PAN-OS 9.1 to 10.0
Cause
Upon upgrade to PAN-OS 10.0 and later, the DNS Security source gets redefined into new categories to provide extended granular controls; as a result, the new categories will overwrite the previously defined action and acquire default settings"default(block)".
See example below.
Before: DNS Security with Action set to Sinkhole on PAN-OS 9.1
After upgrade to PAN-OS 10.0: DNS Security malicious Categories changed to "default (block)"
Resolution
To restore the Sinkhole Action on DNS Security:
- Access the relevant Anti-Spyware profile under [Objects > Security Profiles > Anti-Spyware > (Open Anti-Spyware profile) > DNS Policies (tab) > DNS Security (section)].
- Change the Actions on the new DNS Categories from "default(block)" to sinkhole as desired. (i.e. new DNS Security Categories that map to old 9.1 detections are "Command and Control Domains", "Malware Domains", "Phishing Domains" and "Recently Registered Domains".
- Click OK.
- Commit your changes.
Additional Information
The DNS Security action overwrite upon upgrade to PAN-OS 10.0.0 can be observed using the Config Audit tool.
More information can be found on:
DNS Security Signature Categories