Commit warning "dns-security-categories is invalid. Missing pre-defined DNS security category"
16593
Created On 07/06/23 11:49 AM - Last Modified 05/31/25 03:24 AM
Symptom
The below warning message is shown during a commit:
Warnings: shared -> profiles -> spyware -> <Spyware Profile Name> -> botnet-domains -> dns-security-categories is invalid. Missing pre-defined DNS security category
Environment
- Any Panorama
- Any Palo Alto Networks Firewall
- Any PAN-OS version
- Note: This will specifically be seen after upgrading to 10.1.10 or higher, but can occur in any version.
Cause
This warning is caused by a content update adding a new category to the DNS security categories list but not adding it to the configuration file. The commit warning indicates that the newly added DNS security categories are missing in the configuration file.
Resolution
Below are the steps for the workaround to avoid getting the warning message when performing a commit:
- Navigate to the anti-spyware profile that appears in the warning message: Objects > Security Profiles > Anti-Spyware > <Anti-Spyware Profile Name>.
- Navigate to the DNS Policies tab (highlighted in green in the above screenshot).
- Search for Palo Alto Networks Content on the Signature Source column and if necessary click on the arrow button to show its content (highlighted in blue in the above screenshot).
- Take note of the Policy Action configured for default-paloalto-dns and click on it (highlighted in red in the above screenshot). The below menu will appear under the Policy Action column.
- Temporarily select a different Policy Action value.
- Commit.
- Change the Policy Action value back to the what it was set to initially.
- Commit.
This procedure will create the relevant entries in the configuration file and the warning message will no longer appear during commit.