Firewall fails to ping hostname or FQDN with DNS server reachable

• Firewall (CLI) fails to ping hostname or FQDN with DNS server reachable
• On the Firewall CLI:
• Ping to IP address (without DNS resolution)  works correctly.

admin@fw-01> ping host 216.239.35.8
PING 216.239.35.8 (216.239.35.8): 56 data bytes
64 bytes from 216.239.35.8: icmp_seq=0 ttl=84 time=83.518 ms

• Ping to hostname (such as time.google.com, etc) would fail with "unknown host"

admin@fw-01> ping host time.google.com
ping: unknown host time.google.com

• The configured DNS server is reachable (ex: 10.10.10.12)

admin@fw-01> ping host 10.10.10.12
PING 10.10.10.12 (10.10.10.12) : 56(84) bytes of data.
64 bytes from 10.10.10.12: icmp_seq=1 ttl=122 time=87.6 ms

•  From firewall pcap review, the DNS query for the hostname was sent successfully to DNS server but no DNS response received.

Note: If the dataplane is used for services, modify the command to use "ping source" command.

• Palo Alto Firewall
• Supported PAN-OS

• Problem usually happen after firewall panos upgrade. 
• Potential config corruption on firewall management IP on firewall device state.

Note: When importing customer firewall device state into lab device, the "Management Interface Settings" will show missing/empty (IP Address and Netmask)


 

1. Identify firewall management IP, netmask and default gateway belongs to suspect firewall
2. Then reconfigure it from CLI
3. Commit the configuration using "commit force". Example below. 

> configure
# set deviceconfig system type static
# set deviceconfig system ip-address 10.10.0.11
# set deviceconfig system netmask 255.255.255.0
# set deviceconfig system default-gateway 10.10.0.1
# commit force