DNS App-ID changed to dns-base in the traffic logs and getting blocked after downloading content version 8586

DNS App-ID changed to dns-base in the traffic logs and getting blocked after downloading content version 8586

19302
Created On 06/27/22 00:34 AM - Last Modified 04/24/24 18:43 PM


Symptom


  • DNS application in the traffic logs changed to DNS-Base
  • DNS traffic may impact depending on the Security Policy configuration
GUI: Monitor > Logs > Traffic
image.png
 

Environment


  • Palo Alto Firewalls or Panorama
  • Supported PAN-OS
  • Content Version: 8586-7445 

Cause


  • App-id decoder was enhanced in content version 8586-7445 to include dns-base and dns-non-rfc  App-IDs. Refer to App ID Decoder Enhancements
  • A manual commit process un-intentionally activated these APP-IDs. Refer to Content Update 8586  for details

Resolution


  1. Download and Install the latest content update 8587 and above.
  2. If one has a a PBF (policy based forwarding) rule that allows traffic associated with the dns App-ID,  then add both the dns-base and dns-non-rfc App-IDs after you install the content version as automatic conversion of App-IDs will not occur for PBF.
  3. Multiple scenarios of resolution can be found here.

Note:
  • If the current security rules uses the dns App-ID, then after you install the update those rules will also allow both the dns-base and the dns-non-rfc App-IDsimage.png

 

Additional Information


Content update 8586 was released 6/24 but pulled on 6/27.
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkmCCAQ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language