Reduce FQDN Refresh Timer on Firewall in Order to Prevent Intermittent AWS Connection Outages
67584
Created On 02/14/19 17:57 PM - Last Modified 08/31/20 14:47 PM
Symptom
AWS ECS cluster ip addresses changes causing interval outages due to the minimum 10 minute refresh timers for FQDN that can be configured on the firewall.
Environment
PAN-OS 8.0
FQDN
Cause
Prior to 9.0 the minimum value which you can set for the fqdn refresh-time is 10 minutes
> configure # set deviceconfig system fqdn-refresh-time <600-14399> (in seconds) # commit
Resolution
- Upgrade to 9.0
- Then from CLI do:
> configure # set deviceconfig system fqdn-refresh-time <value> <0-14399> Minimal seconds for periodic FQDN refresh # commit
or
- Then from UI do:
- Select Device >Setup >Services >Global (omit Global on a firewall without multiple virtual system capability) and edit.
- Configure the FQDN timers for the firewall:
- Select DNS Servers or DNS Proxy Object.
- Enter the Minimum FQDN Refresh Time (sec) in seconds to limit how frequently the firewall will refresh the FQDN cache entries (range is 0 to 14,400; default is 30). A setting of 0 means the firewall will refresh the FQDN based on the TTL value in the DNS record; the firewall doesn’t enforce a minimum FQDN refresh time.
- Enter the FQDN Stale Entry Timeout (min) in minutes, which is the length of time that the firewall continues to use stale FQDN resolutions in the event of an unreachable DNS server (range is 0 to 10,080; default is 1,440). A value of 0 means the firewall does not use a stale FQDN entry.
- Click OK
- commit
Additional Information
Further information regarding this new feature can be found here:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/networking-features/fqdn-refresh-response.html