What will a Palo Alto Networks next-generation firewall (NGFW) do when it is unable to retrieve a DNS verdict from the DNS cloud service in the configured lookup time?
What will a Palo Alto Networks next-generation firewall (NGFW) do when it is unable to retrieve a DNS verdict from the DNS cloud service in the configured lookup time?
When a Palo Alto Networks next-generation firewall (NGFW) is unable to retrieve a DNS verdict from the DNS cloud service within the configured lookup time, it allows the request and all subsequent responses. This approach ensures that legitimate traffic is not blocked due to a temporary inability to retrieve a DNS verdict, maintaining network functionality and minimizing disruption.
If the firewall is unable to retrieve a signature verdict in the allotted time due to connectivity issues, the request, including all subsequent DNS responses, are passed through https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/configure-lookup-timeout