What is the correct behavior when a Palo Alto Networks next-generation firewall (NGFW) is unable to retrieve a DNS verdict from DNS service cloud in the configured lookup time?
What is the correct behavior when a Palo Alto Networks next-generation firewall (NGFW) is unable to retrieve a DNS verdict from DNS service cloud in the configured lookup time?
When a Palo Alto Networks next-generation firewall (NGFW) is unable to retrieve a DNS verdict from the DNS service cloud within the configured lookup time, the NGFW permits a response from the DNS server. This approach ensures that regular DNS traffic is not interrupted, even if the NGFW experiences issues in fetching DNS security verdicts. This allows the network to function normally while maintaining its security where possible.
"If the firewall is unable to retrieve a signature verdict in the allotted time due to connectivity issues, the request, including all subsequent DNS responses, are passed through."
Updated link here: https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/configure-lookup-timeout
C is right, refer to Step 11 https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security
Result is still C on newer OS config guide