Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

FQDN's Expire to blank record

stokie21stokie21 Newbie ✭
in Mid Range Firewalls

Hi,

I have a small issue with FQDN's expiring to "blank". If one should expire I want it to remember the address, until it updates from the source.

The reason for this is because the FQDN's are all in a group, these are checked as part of the SSLVPN connection, meaning If the FQDN is listed they can connect to the SSLVPN.

When the FQDN TTL expires it's stripping the IP away to a blank entry, and that person gets kicked from the SSLVPN, I manually am having to go to the address object, make a small change to it, save it, then go back in and correct it and save it, so it works again

Here is my example screen shot, of an expired to blank

FQDN.png

If the TTL expires i need the IP to remain, and if the source updates it then that's fine

here is an example of what i need

The record has expired, but the IP is still there

image.png

I have been into the Diag and changed the option to

image.png

However I have had an expired record happen after I selected this option, so I am wondering do I need to reboot or anything like that

or is there another setting i can edit?

Thanks

Category: Mid Range Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @stokie21 do you have a mixed Gen6/Gen7 UI, looks a bit confusing to me.

    What about the Option "Donot delete expired hosts of an FQDN Network Object with active connections or until DNS re-query succeeds" on the Internal Settings page? Otherwise "Retain expired FQDN hosts until a successful DNS resolution occurs" looks good to me.

    Another option, manual TTL setting in the FQDN object?

    I checked on one deployment and the FQDN was marked as expired, but it still contains the IP addresses.

    —Michael@BWC

  • stokie21stokie21 Newbie ✭

    Well spotted,

    I stole that picture from here, as I was on the address objects page and didn't want to go back in the diag to take the screenshot

    https://www.sonicwall.com/support/knowledge-base/performance-degradation-impact-of-fqdn-address-objects-on-the-cpu/171004095251533

    I didn't spot

    "Do not delete expired hosts of an FQDN Network Object with active connections or until DNS re-query succeeds"

    I will try that one also, I haven't had another yet today so maybe I was impatient. I ideally didn't want to mess with the TTL as I have never had to before, I was just trying to change as little as possible rather than 3 changes in one go

    Thank you for the help, I will give that setting a try tomorrow if the one I did first don't work

Sign In or Register to comment.