Prisma Access
Dynamic DNS Registration Support for Mobile Users—GlobalProtect
Table of Contents
Dynamic DNS Registration Support for Mobile Users—GlobalProtect
Learn about Dynamic DNS (DDNS) functionality and how
to use it in
Prisma Access
mobile user GlobalProtect deployments.Where Can I Use This? | What Do I Need? |
|---|---|
|
|
This functionality is available for
Prisma Access
deployments
starting with Prisma Access (Managed by Panorama)
3.1.1. This
functionality is not available for
Prisma Access (Managed by Strata Cloud Manager)
deployments.When a mobile user connects remotely to
Prisma Access
using GlobalProtect,
the DNS Servers in your enterprise are not updated with the GlobalProtect
gateway-assigned IP address. Before enabling Dynamic DNS (DDNS),
there is no mapping of tunnel IP addresses with the endpoint name,
which are logged as address and pointer (A and PTR) records. Hence,
your IT administrator or user management software cannot map the
remote endpoint name to the IP address.After you enable the DDNS feature on
Prisma Access
, Prisma Access
Cloud Services plugin checks GlobalProtect events
in Cortex Data Lake every 15 minutes to capture endpoint hostname,
domain name and tunnel IP address. It dynamically creates A and
PTR records in the DNS server using NSUPDATE.Dynamic DNS Workflow for Mobile Users—GlobalProtect
After
you enable DDNS and when a mobile user logs in with the GlobalProtect
app:
Read the following sections to get an overview of how
DDNS works, guidelines and requirements, and how to enable it.
- GlobalProtect establishes an SSL tunnel between the GlobalProtect endpoint and an on-premises orPrisma Accessgateway.
- GlobalProtect sends the mobile user device’s hostname, domain name, and tunnel IP address information through the tunnel to the on-premises orPrisma Accessgateway.
- The on-premises gateway orPrisma Accessforwards this information as GlobalProtect events to Cortex Data Lake.
- ThePrisma AccessCloud Services plugin probes Cortex Data Lake every 15 minutes to update the DNS server.If the plugin does not receive the GlobalProtect events from Cortex Data Lake, it retries the request a maximum of five times. If the retry requests were not successful, the plugin retries the operation every 15 minutes for a maximum of four times. Therefore, the plugin can receive updates for a time interval of one hour.If you want more frequent updates, you can enter thedebug plugins cloud_services set-gp-ddns-intervalcommand to change the update interval to five minutes. A is not required to update the time interval. If you change the interval to five minutes, the Cloud Services plugin can update a maximum of 15,000 records with a network latency of 50 msec and can receive updates for a time interval of 20 minutes.
- NoCommitis required after you change the time interval using the command.
- These numbers are from a controlled environment and real-world operating conditions can affect these numbers.
- After receiving the updates from Cortex Data Lake, the Cloud Services plugin packages A and PTR records as NSUPDATE, and updates the primary DNS server every 15 minutes.If you changed the time interval to five minutes using thedebug plugins cloud_services set-gp-ddns-intervalcommand, the plugin updates the DNS server every five minutes.If the plugin is unable to update the DNS server through NSUPDATE, the plugin retries the update operation a maximum of five times. If the updates were not successful, the plugin retries the update operation every 15 minutes, or every five minutes if you changed the interval to five minutes, for a maximum of four times. Therefore, the plugin tries to update the events that are logged for a maximum of one hour (if you use a 15-minute interval) or 20 minutes (if you use a five-minute interval), after which it starts afresh.
- After the A and PTR records of GlobalProtect mobile users are available in the DNS server, an IT administrator or an enterprise software uses these records through a DNS or RDNS lookup and resolves the endpoint name or IP address.
- The IT administrator or the endpoint management software uses this information to manage the endpoint or push software updates.
The
following figure illustrates this workflow.
To
view the connection failure logs, select or for
Mobile_User_Device_Group
.Dynamic DNS Guidelines and Requirements
Before you enable DDNS,
ensure that your deployment and DNS server meet the following guidelines
and requirements:
- Update your GlobalProtect client to the following GlobalProtect app versions based on your OS:
- Windows: 5.2.11 or later
- Mac: 5.2.11 or later
- Linux: 5.3.3 or later
- Enable Cortex Data Lake if you use an on-premises gateway other thanPrisma Access.
- An Infoblox DNS server with a minimum version of 8.6.1 or later that supports DDNS updates through NSUPDATE is required.
- MultitenantPrisma Accessdeployments do not support DDNS.
- Save the authentication key from your DNS server in base64 format with a file extension of .key. You can upload the key only in this format inPrisma Access.
- Enable NTP on your DNS server and ensure that it is same as that ofPrisma Access.
- Create zones in Infoblox for reverse PTR and forward A addresses.
You can deploy Dynamic DNS in a standalone deployment with
next-generation firewalls as well as with Prisma Access. For firewalls, all the
prerequisites in this section apply, and you also must have a valid
Strata Logging Service
license and use the Cloud Services plugin in Panorama for
logging.