Security Profile: DNS Security (Strata Cloud Manager)
Learn how to configure a DNS Security profile in Strata Cloud Manager.
Here's how to configure a DNS Security profile. See Enable DNS Security for detailed
steps.
Use the credentials associated with your Palo Alto Networks support account and
log in to the Strata Cloud Manager on the hub.
Verify that a DNS Security and a Threat Prevention (or Advanced Threat
Prevention) license is active. Select ManageConfigurationNGFW and Prisma AccessOverview and click the license usage terms link in the
License panel. You should see green check marks next
to the following security services: Antivirus, Anti-Spyware, Vulnerability
Protection, and DNS Security.
Verify that the paloalto-dns-security App-ID in your security policy is
configured to enable traffic from the DNS security
cloud security service.
If your firewall deployment routes your management traffic though an
Internet-facing perimeter firewall configured to enforce App-ID security
policies, you must allow the App-IDs on the perimeter firewall; failure
to do so will prevent DNS security connectivity.
Configure DNS Security signature policy settings to send malicious DNS queries
to the defined sinkhole.
If you use an external dynamic list as a domain allow list, it does not
have precedence over the DNS Security domain policy actions. As a
result, when there is a domain match to an entry in the EDL and a DNS
Security domain category, the action specified under DNS Security is
still applied, even when the EDL is explicitly configured with an action
of Allow. If you want to add DNS domain exceptions, either configure an
EDL with an Alert action or add them to the DNS Domain/FQDN Allow List
located in the DNS Exceptions tab.
Attach the DNS Security profile to a Security policy rule.
A DNS Security profile is only active when it’s included in a profile group
that a Security policy rule references. Follow the steps to activate a DNS Security profile (and any Security
profile).