How does the "Resolve Hostname" feature work
31089
Created On 12/09/20 15:32 PM - Last Modified 12/14/22 04:44 AM
Question
How does the "Resolve Hostname" feature work?
Environment
- Palo Alto Firewall and Panorama
- Supported PAN-OS
- Traffic Log
Answer
- The "Resolve Hostname" checkbox that is available in the Monitor tab of the WebUI of the PA firewall/Panorama
- When this box is checked, the firewall tries to resolve the ip addresses in the logs to the corresponding hostnames.
- This applies to a variety of logs like traffic, threat, data filtering etc.
Details:
By default, the logs in the monitor tab will display ip addresses in the source/destination ip fields as shown below.
The "Resolve Hostname" feature can resolve the ip address in a log entry to the corresponding hostname using the address objects configured on the firewall or by doing a DNS lookup.
When the checkbox is selected, the device will first check if there is a corresponding address object configured. If found, it will display the same. In this example, the ip address 192.168.1.20 has a corresponding address object configured.
If an address object is not configured on the device, the device will send out a DNS request for the PTR record of the ip address. In this example, the device sends out a DNS request for a corresponding PTR record as shown in the picture below
Note: When an address object is configured on the device for a particular address and when there also is an entry for this address in the DNS server, the "Resolve Hostname" would resolve the address to the configured address object.