Prisma Access
Configure Dynamic DNS Updates for Prisma Access (Managed by Strata Cloud Manager)
Table of Contents
Configure Dynamic DNS Updates for Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Strata Cloud Manager)
- FromStrata Cloud Manager, go to and click the gear to edit theInfrastructure Settings.
![]()
- SelectAdvanced Settings.
![]()
- Configure theDynamic DNS Supportsettings.
- SelectDynamic DNS Support for GlobalProtect.
- Select theDomain Type.
- Fallback Domain—The domain used for the nsupdate events falls back to the domain you specify in theFallback Domainarea. Use this choice if the GlobalProtect clients are not joined to any domain, or if they are domain-joined to the same domain that the DDNS service uses to update the records on the DNS server.If you selectFallback Domainand users who are not connected to a domain log into GlobalProtect, their information is added under the fallback domain zone that's created on the DNS server.If GlobalProtect clients that are logging in to GlobalProtect belong to an unexpected domain that isn't configured on the DNS server, nsupdate might fail; in this case; selectOverride Domainto override the unknown domain with the domain that is known to the DNS server.
- Override Domain—Prisma Accessuses only the domain you specify to update the DNS server and overrides all other domains. If GlobalProtect clients log in to another domain, the DDNS service uses the domain you specify here to update the DNS A and PTR records.
- Select the domain that is used to update the PTR records for either fallback or override domains in theFallback Domainfield.
- Select theDNS Server IPaddress.
- Select theServer Type(eitherTSIGorKerberos).
- (TSIG Deployments Only) Select theTSIG Keyto use with TSIG.Make sure that the TSIG file is in the correct format and has a filetype of .key. The TSIG file should be in the following format:key "ddns-gp" { algorithm hmac-sha256; secret "aBCDEFGhiJklMNO89PQR+8stUVWX+YZAbcdeFgHI5J="; };(Kerberos Deployments Only) Specify the Kerberos options to use.
- Enter the IP address of theKerberos Domain Controller.
- Enter the IP address of theKerberos Admin Server.
- Enter theKerberos User Name.
- Enter theKerberos Key(the keytab) to use.Be sure that the Kerberos key is in the correct format.
![]()
- Saveyour changes.
- Set up forward lookup and reverse lookup zones on your DNS server.Refer to the documentation for your IPAM vendor to set up these zones. This step requires that you enter theInfrastructure SubnetandClient IP PoolfromPrisma Access.
- To find the infrastructure subnet, go to and make a note of theInfrastructure Subnet.
![]()
- To find the GlobalProtect mobile user IP address pool, go to and make a note of theClient IP Pool.
![]()
- Verify that DNS records are being updated on the IPAM DNS server.
- Open a client machine and connect to aPrisma AccessGlobalProtect gateway.
![]()
- Select GlobalProtectSettingsand verify the GlobalProtect IP address thatPrisma Accessassigned to the user.
![]()
TheAssigned IP Address(es)(100.126.2.7) shows that the IP address comes from the GlobalProtect IP address pool (100.126.0.0/16).![]()
- From the IPAM DNS server, view the user's record.In this example, the user is namedtestuser1-win10.
![]()
The DNS reverse lookup also displays the username in the PTR record.![]()
- Log the user off from GlobalProtect and check the records to make sure that the DNS server has deleted the records for the user.
