So Palo Alto TAC recently confirmed to me that PAN OS 9.0.3 has a bug wherein the proxydnsd service will max the management CPU even if your not using proxy DNS.
It is slated for a fix in November’s release of 9.0.5, however I would rather not have the management CPU constantly maxed. So to fix this problem I created a Python script with the Paramiko library for SSH connectivity. This allows you to automate CLI commands via Python. Since the command to restart the proxydnsd service is a debug command, you can’t use the PA API, it has to be done from the CLI.
I run this python script using Python 2.7 on a Ubuntu Linux VM. You will need to pip install paramiko and pip install time.
#
# Log into PAN Firewall via SSH and restart DNS Proxy
# which is causing mgmt cpu spike on PAN OS 9.0.3
# Requires Python 2.x
# Setup crontab schedule to automatically execute
#
import paramiko
import time
USERNAME = 'username'
PASSWORD = 'password'
HOSTNAME = '192.168.0.1' #Firewalls IP
PORT = 22
def ssh_command(username=USERNAME, password=PASSWORD, hostname=HOSTNAME, port=PORT):
ssh_client = paramiko.SSHClient()
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh_client.load_system_host_keys()
ssh_client.connect(hostname, port, username, password)
remote_conn = ssh_client.invoke_shell()
#print ("Interactive SSH session established")
remote_conn.send("debug software restart process dnsproxy\n ")
time.sleep(8)
remote_conn.send("exit\n ")
if __name__ == '__main__':
ssh_command()
You can download the script from my Github page. I setup crontab to run the script at 20 minute intervals:
1. Make sure your script is working first (you have filled out the username, password and hostname fields and it executes correctly with python 2.x).
2. crontab -e
Select 1. for Nano
3. Add a new line like so:
*/20 * * * * python /path/to/PADebugCmd.py
Where /path/to is your directory path to the script file.
Comments