Using FQDN address object with dynamic IP for Policies
112212
Created On 01/22/20 02:08 AM - Last Modified 01/27/20 02:25 AM
Objective
This document explains a way to use dynamic IP FQDN address objects such that the traffic from inside hosts can match the policies configured for them with minimum mismatch.
Note : The issue of inconsistent match of policies for such FQDN address objects is not caused by the firewall. This document is only a workaround; if using such FQDN address object is a mandatory requirement.
Check the below link to understand the behaviour of the refresh and cache timers on PANOS 9.0 and above.
DNSPROXY AND FQDN ADDRESS REFRESH BEHAVIOURS - PANOS 9.0 AND ABOVE
Environment
Topology :
Assumptions :
PA firewall is running version 9.0 and above.
An FQDN address object "ServerA" is configured with FQDN "server-a.com".
DNS server is resolving this URL to a different IP every time a request is sent.
For the sake of this document consider server-a.com resolves to either 10.10.10.1 or 10.10.10.2.
DNS server supplied TTL value for the URL is 4 Seconds.
Issue :
Both Host A and PA firewall will resolve the URL server-a.com to get the IP address that can be used by them.
Host A will use the IP address to generate traffic to it.
PA firewall will use the IP address to match the traffic and apply the configured policies.
However, since the IP address changes mostly on every DNS resolution reply, the traffic will not match the configured policies if Host A and PA firewall have different IP results from DNS server.
For example, consider at time "n" Host A resolved server-a.com to 10.10.10.1 and PA firewall resolved it to 10.10.10.2.
PA firewall has a security rule "SecPolicyServerA" that uses ServerA address object as destination.
Host A will generate traffic to 10.10.10.1. However, since the PA firewall has resolved the IP address to 10.10.10.2, the Security Rule "SecPolicyServerA" will not be applied to this traffic.
Starting from PANOS version 9.0, each FQDN entry will be refreshed individually and the TTL used for the refresh is decided based on the logic explained in the link given at the start of this document.
If the TTL value supplied by the DNS server is very low, say 4 or 5 seconds, the Firewall will refresh the FQDN entry too often and that increases the probability of IP mismatch between PA firewall and Host A thus resulting in blackhole of the traffic.
Procedure
Resolution :
The only way to reduce the probability of IP mismatch between PA firewall and Host A to the barest minimum is by
1. Making sure both PA firewall and Host A get the same IP, or set of IPs, for a certain period of time.
2. By increasing the TTL of the FQDN entries to a higher value so that IP switch does not happen on every other request.
To achieve the above, dnsproxy configuration on the firewall's Trust interface will have to be used.
HOW TO CONFIGURE DNS PROXY ON A PALO ALTO NETWORKS FIREWALL
Also DNS cache will have to be enabled.
Then DNS server IPs on the inside Host "Host A" will have to be set as the LAN interface IP of the Firewall.
Firewall's DNS server setting will have to set to DNS Proxy Object (DNSProxyTrust) that has just been configured.
"Minimum FQDN Refresh Time (sec)" will have to be set to a higher value such as 600 Seconds.
If the DNS server provided TTL value for the URL server-a.com is 4 Seconds, the firewall will refresh the entry for this URL every 4 seconds.
After configuring the DNS server for PA firewall as DNSProxy object, both DNSProxy and FQDN address object will use the same DNSProxy Cache.
With this configuration the DNSProxy cache will look as below
> show dns-proxy cache all
Name: mgmt-obj
Cache settings:
< ----- NOT USED ANY MORE ---->
Name: DNSProxyTrust
Cache settings:
max-ttl: 86400
cache-edns: enabled
entries: 4
Domain IP/Name Type Class TTL Hits
-----------------------------------------------------------------------------------------------------------------------------
server-a.com 10.10.10.1 A IN 598 2
Thus both Host A and PA firewall will use the same IP 10.10.10.1 for 600 Seconds. Once the FQDN entry gets refreshed after 600 Seconds and new IP address is received, the Host A will receive the new IP address on the subsequent DNS request from the DNSProxy.
Also Firewall will start using the New IP address under the address object.
For better results increase the value to yet higher value so that the same IP is used for a longer period of time.
** Note : This setup does not ensure that both PA firewall and Hosts will be in sync all the time. This method only minimises the time for which they will be out of sync.
Additional Information
For a 100% success rate in this scenario all IP addresses of the servers will have to be statically configured on the Policies.
There is no way to achieve it with FQDNs that have dynamically changing IPs.