Panorama

Set up internal domain lists that apply to all traffic.
Select

Panorama

Cloud Services

Configuration

Service Setup

and click the gear icon to edit the Settings.

Select the

Internal Domain List

tab.

Add the Domain Names, Primary DNS, and Secondary DNS servers that you want

Prisma Access

to use to resolve your internal domain names.

You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local or *.acme.com.


Add internal domain lists that apply only to specific mobile user deployments or remote network sites.
Configure DNS settings:
Mobile Users

—Go to

Panorama

Cloud Services

Configuration

Mobile Users - GlobalProtect

and select the external gateway > and click

Network Services

.



Remote Networks

—Go to

Panorama

Cloud Services

Configuration

Remote Networks

>

Settings

>

DNS Proxy

.


Use the Worldwide default (the
Prisma Access
default DNS server) or customize settings based on region. In either case, select the region to adjust and customize the DNS settings for that region.
Add one or more rules to configure the DNS settings for
Internal Domain
.
Enter a unique Rule Name for the rule.
You want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in the Domain List. Specify an asterisk in front of the domain; for example, *.acme.com. You can specify a maximum of 1,024 domain entries.
Prisma Access
has a predefined rule to resolve *.amazonaws.com domains using the Cloud Default server. If you want your internal DNS servers to resolve a more-specific *.amazonaws.com domain (for example, *.s3.amazonaws.com), enter the URL in the Domain List.
Prisma Access
evaluates the domain names from longest to shortest, then from top to boom in the list.
If you have a Custom DNS server that can access your internal domains, specify the Primary DNS and Secondary DNS server IP addresses, or select Use Cloud Default to use the default
Prisma Access
DNS server.
Specify the DNS settings for
Public Domains
.
Use Cloud Default
—Use the default Prisma Access DNS server.
Same as Internal Domains
—Use the same server that you use to resolve internal domains. When you select this opon, the DNS Server used to resolve public domains is same as the server configured for the first rule in the
Internal Domains
section.
Custom DNS server
—If you have a DNS server that can access your public (external) domains, enter the Primary DNS server address in that field.
(
Optional
) You can Add a DNS Suffix to specify the suffix that the client should use locally when an unqualified hostname is entered that it cannot resolve, for example, acme.local. Do Prisma Access Administrator’s Guide (Panorama Managed) not enter a wildcard (*) character in front of the domain suffix (for example, acme.com). You can add multiple suffixes.
Allow traffic from all addresses in your mobile user IP address pool to-your DNS servers.
The DNS proxy in
Prisma Access
sends the requests to the DNS servers you specify. The source address in the DNS request is the first IP address in the IP pool you assign to the region. To ensure that your DNS requests can reach the servers you will need to make sure that you allow traffic from all addresses in your mobile user IP address pool to your DNS servers.