Security Profile: DNS Security (Strata Cloud Manager)

1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
2. Verify that a DNS Security and a Threat Prevention (or Advanced Threat Prevention) license is active. Select ManageConfigurationNGFW and Prisma AccessOverview and click the license usage terms link in the License panel. You should see green check marks next to the following security services: Antivirus, Anti-Spyware, Vulnerability Protection, and DNS Security.
3. Verify that the paloalto-dns-security App-ID in your security policy is configured to enable traffic from the DNS security cloud security service.

   If your firewall deployment routes your management traffic though an Internet-facing perimeter firewall configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall; failure to do so will prevent DNS security connectivity.
4. Configure DNS Security signature policy settings to send malicious DNS queries to the defined sinkhole.

   If you use an external dynamic list as a domain allow list, it does not have precedence over the DNS Security domain policy actions. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of Allow. If you want to add DNS domain exceptions, either configure an EDL with an Alert action or add them to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab.
5. Attach the DNS Security profile to a Security policy rule.

   A DNS Security profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a DNS Security profile (and any Security profile).
6. Test that the policy action is enforced.