Security Profile: DNS Security (PAN-OS & Panorama)
Learn how to configure a DNS Security profile in PAN-OS & Panorama.
Here's how to configure a DNS Security profile. See Enable DNS Security for detailed
steps.
To take advantage of DNS Security, you must have an active DNS Security and
Threat Prevention (or Advanced Threat Prevention) subscription.
Verify that you have the necessary subscriptions. To verify which
subscriptions that you currently have licenses for, select DeviceLicenses and verify that the appropriate licenses display and have not
expired.
Verify that the paloalto-dns-security App-ID in your security policy is
configured to enable traffic from the DNS security cloud security service.
If your firewall deployment routes your management traffic though an
Internet-facing perimeter firewall configured to enforce App-ID security
policies, you must allow the App-IDs on the perimeter firewall; failure
to do so will prevent DNS security connectivity.
Configure DNS Security signature policy settings to send malicious DNS queries
to the defined sinkhole.
If you use an external dynamic list as a domain allow list, it does not
have precedence over the DNS Security domain policy actions. As a
result, when there is a domain match to an entry in the EDL and a DNS
Security domain category, the action specified under DNS Security is
still applied, even when the EDL is explicitly configured with an action
of Allow. If you want to add DNS domain exceptions, either configure an
EDL with an Alert action or add them to the DNS Domain/FQDN Allow List
located in the DNS Exceptions tab.
Attach the Anti-Spyware profile to a Security policy rule.