DNS lookup failure(s)-paloaltonetworks-panos

Knowledge
, , , ,
#1

DNS lookup failure(s)-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if the DNS resolution is not working on the device.

Remediation Steps:
Review the cause for the DNS resolution not working.

How does this work?
This script logs into the Palo Alto Networks firewall through SSH attempts to ping www.indeni.com. In the process of that ping, it also forces the firewall to resolve “www.indeni.com” to an IP address. A failure to ping www.indeni.com indicates that the DNS server is not responding, or that connectivity to the Internet has been severed.

Why is this important?
Some services on a Palo Alto Networks firewall require a working DNS connection. For example, the FQDN objects require DNS connectivity (see https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/ta-p/61903).

Without Indeni how would you find this?
An administrator would need to write a script to poll their firewalls for the data (force a resolution of a hostname), or simply troubleshoot once an issue occurs.

panos-ping-indeni-com

name: panos-ping-indeni-com
description: check to see if DNS resolution is working
type: monitoring
monitoring_interval: 30 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
comments:
    dns-server-state:
        why: |
            Some services on a Palo Alto Networks firewall require a working DNS connection. For example, the FQDN objects require DNS connectivity (see https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/ta-p/61903).
        how: |
            This script logs into the Palo Alto Networks firewall through SSH attempts to ping www.indeni.com. In the process of that ping, it also forces the firewall to resolve "www.indeni.com" to an IP address. A failure to ping www.indeni.com indicates that the DNS server is not responding, or that connectivity to the Internet has been severed.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: ping count 1 host www.indeni.com
    parse:
        type: AWK
        file: ping-indeni-com.parser.1.awk

CrossVendorDnsFailure

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/CrossVendorDnsFailure.scala

Indeni Steps

  • get dns server address via xapi

  • parse xml response for primary dns server address

  • parse xml response for secondary dns server address

  • check if remote dns port is open

  • is remote dns port open?

  • ping dns server

  • is dns server pingable?

find the reason why a dns service is unreachable

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/automation/playbooks/get_dns_failure_reason.yml
#2

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/dns/use-case-1-firewall-requires-dns-resolution-for-management-purposes.html