DNS Configuration Assignment Based on Users or User Groups
You can now configure GlobalProtect gateways to send different DNS configurations to connecting endpoints based on users and user groups.
Software Support: PAN-OS 9.0® and later releases
You can now configure GlobalProtect gateways to send different DNS server and DNS suffix configurations to connecting endpoints based on the individual users or users within a specific user group who have logged in to these endpoints. This enhancement reduces the number of gateways and firewalls that you must deploy for your users, as you are no longer required to configure separate gateways for each set of DNS server and DNS suffix configurations. For example, you can configure the Partner 1 user group to use a specific DNS server and set of DNS suffixes. On the same gateway, you can then configure the Partner 2 user group to use a different DNS server and different set of DNS suffixes.
Use the following steps to configure a DNS server or DNS suffix based on a user or user group:
- (Optional) Map users to groups.You can map users to user groups to define policy rules and configurations based on group membership instead of individual users.
- Specify the config selection criteria (including the user or user group) for your client settings configuration.The config selection criteria indicates the criteria that users must match against when connecting to a GlobalProtect gateway. If a user matches all specified criteria (Source User,OS, andSource Address), the gateway deploys this client settings configuration to the user.
If you configure at least one DNS server or DNS suffix at the client level (), the gateway sends the client level configuration for both the DNS server and DNS suffix to the endpoint. This occurs even when you configure gateway level (global) DNS servers and DNS suffixes.NetworkGlobalProtectGateways<gateway-config>AgentClient Settings<client-settings-config>Network ServicesIf you do not configure any DNS servers or DNS suffixes at the client level, the gateway sends the global DNS servers and DNS suffixes to the endpoint, if configured ().NetworkGlobalProtectGateways<gateway-config>AgentNetwork Services
- Specify the IP address of theDNS Serverto which the GlobalProtect app with this client settings configuration sends DNS queries. You can add multiple DNS servers by separating each DNS server with a comma.
- Specify theDNS Suffixthat the endpoint should use locally when an unqualified hostname, which the endpoint cannot resolve, is entered. You can enter multiple DNS suffixes (up to 100) by separating each suffix with a comma.
- Save the gateway configuration.
- Commityour changes.
Recommended For You
Recommended videos not found.