DNS Security allow and alert actions DNS Security in PAN-OS 10.0
12030
Created On 11/10/20 20:45 PM - Last Modified 01/19/23 04:49 AM
Symptom
- Attempting to configure a DNS Security Action for a given DNS Security Category to "alert", but the "alert" option is no longer present.
- Attempting to suppress a DNS Security Category from writing log entries, but the configured "allow" action continues to produce log entries in the Threat logs.
Environment
- PAN-OS 10.0 or higher.
- DNS Security.
- Threat Logs.
Cause
Traditionally, the "allow" action means that Threat log entry writing is suppressed.
The behavior for Action "allow" has changed for DNS Security in PAN-OS 10.0 as follows:
- If a Log Severity is defined for the DNS Security Category and the defined Action is "allow", it will run the traditional "alert" function, resulting in writing a Threat log entry with the selected Log Severity.
- If a Log Severity is not defined for the DNS Security Category (it is set to "none") and the defined Action is "allow", it will run the traditional "allow" function, resulting in suppressing the writing of Threat log entries.
Resolution
- To run a traditional "alert" action for a given DNS Security Category, set the action to "allow", and specify the desired Log Severity.
- To suppress writing log entries for a given DNS Security Category, set the action to "allow", and set the Log Severity to "none".
- "action= allow, log severity set by DNS-Sec =defined" ==> Traditional alert action( write logs)
- "action= allow, log severity set by DNS-Sec = none( not defined)" ==> Traditional allow action( no logs)
Additional Information
This behavior change only affects the actions for DNS Security.
The traditional actions for "Palo Alto Networks Content" DNS Signatures are unchanged.