DNS Security allow and alert actions DNS Security in PAN-OS 10.0

12014

Created On 11/10/20 20:45 PM - Last Modified 01/19/23 04:49 AM

Threat Log

DNS Security

10.0

PAN-OS

Symptom

Attempting to configure a DNS Security Action for a given DNS Security Category to "alert", but the "alert" option is no longer present.
Attempting to suppress a DNS Security Category from writing log entries, but the configured "allow" action continues to produce log entries in the Threat logs.

Environment

PAN-OS 10.0 or higher.
DNS Security.
Threat Logs.

Cause

Traditionally, the "allow" action means that Threat log entry writing is suppressed.
The behavior for Action "allow" has changed for DNS Security in PAN-OS 10.0 as follows:

If a Log Severity is defined for the DNS Security Category and the defined Action is "allow", it will run the traditional "alert" function, resulting in writing a Threat log entry with the selected Log Severity.
If a Log Severity is not defined for the DNS Security Category (it is set to "none") and the defined Action is "allow", it will run the traditional "allow" function, resulting in suppressing the writing of Threat log entries.

New actions for DNS Security. Log Severity "none" and action "allow" map to traditional "allow" action. Log Severity other than "none" and action "allow" map to traditional "alert" action.

Resolution

To run a traditional "alert" action for a given DNS Security Category, set the action to "allow", and specify the desired Log Severity.
To suppress writing log entries for a given DNS Security Category, set the action to "allow", and set the Log Severity to "none".

Starting with PAN-OS 10.0, DNS Security actions are dependent on log severity. The severity and action combination is:

"action= allow, log severity set by DNS-Sec =defined" ==> Traditional alert action( write logs)
"action= allow, log severity set by DNS-Sec = none( not defined)" ==> Traditional allow action( no logs)

Additional Information