DNS Configuration Assignment Based on Users or User Groups

You can now configure GlobalProtect gateways to send different DNS configurations to connecting endpoints based on users and user groups.
Software Support
: PAN-OS 9.0® and later releases
You can now configure GlobalProtect gateways to send different DNS server and DNS suffix configurations to connecting endpoints based on the individual users or users within a specific user group who have logged in to these endpoints. This enhancement reduces the number of gateways and firewalls that you must deploy for your users, as you are no longer required to configure separate gateways for each set of DNS server and DNS suffix configurations. For example, you can configure the Partner 1 user group to use a specific DNS server and set of DNS suffixes. On the same gateway, you can then configure the Partner 2 user group to use a different DNS server and different set of DNS suffixes.
Use the following steps to configure a DNS server or DNS suffix based on a user or user group:
  1. You can map users to user groups to define policy rules and configurations based on group membership instead of individual users.
  2. Specify the config selection criteria (including the user or user group) for your client settings configuration.
    The config selection criteria indicates the criteria that users must match against when connecting to a GlobalProtect gateway. If a user matches all specified criteria (
    Source User
    ,
    OS
    , and
    Source Address
    ), the gateway deploys this client settings configuration to the user.
    config-selection-criteria-source-user.png
    • Specify the IP address of the
      DNS Server
      to which the GlobalProtect app with this client settings configuration sends DNS queries. You can add multiple DNS servers by separating each DNS server with a comma.
      dns-server.png
    • Specify the
      DNS Suffix
      that the endpoint should use locally when an unqualified hostname, which the endpoint cannot resolve, is entered. You can enter multiple DNS suffixes (up to 100) by separating each suffix with a comma.
      dns-suffix.png
    If you configure at least one DNS server or DNS suffix at the client level (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Agent
    Client Settings
    <client-settings-config>
    Network Services
    ), the gateway sends the client level configuration for both the DNS server and DNS suffix to the endpoint. This occurs even when you configure gateway level (global) DNS servers and DNS suffixes.
    If you do not configure any DNS servers or DNS suffixes at the client level, the gateway sends the global DNS servers and DNS suffixes to the endpoint, if configured (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Agent
    Network Services
    ).
  3. Save the gateway configuration.
    1. Click
      OK
      twice.
    2. Commit
      your changes.

Recommended For You