Dynamic DNS Support for Firewall Interfaces
Configure the firewall to use a Dynamic DNS (DDNS) service
to update your domain name-to-IP address mappings so DDNS provides
accurate IP addresses to DNS clients, which can access services
behind the firewall.
When you have services hosted behind the firewall
and use destination NAT policies on the firewall to access the services,
or when you need to provide remote access to the firewall, you can
register the interface’s IPv4 address changes (dynamic or static
address) and IPv6 address changes (static address only) with a dynamic
DNS (DDNS) service provider. The DDNS service automatically updates
the domain name-to-IP address mappings, so that it can provide accurate
IP addresses to DNS clients, which in turn can access the firewall
and services behind the firewall. DDNS is often used in branch deployments that
are hosting services. Without DDNS support for firewall interfaces,
you would need external components to provide accurate IP addresses
to clients.
The firewall currently supports the following
DDNS service providers: DuckDNS, DynDNS, FreeDNS Afraid.org Dynamic
API, FreeDNS Afraid.org, and No-IP. The individual DDNS service
provider determines the services it provides, such as how many IP
addresses it supports for a hostname, whether it supports IPv6 addresses,
and other factors. Palo Alto Networks uses content updates to add
new DDNS service providers and to make service provider updates
available to you.
- Before configuring DDNS, determine the hostname that you registered with your DDNS provider.
- Obtain the public SSL certificate from your DDNS provider and import it into the firewall.
- Configue DDNS for a Layer
3 interface.
- EnableDDNS for an Ethernet or VLAN interface or subinterface and enter the Hostname for the interface, which exactly matches the hostname you registered with the DDNS service.
- Select one or more IPv4 or IPv6 addresses assigned to the interface.
- Create a certificate profile or select a certificate profile to verify the SSL certificate of the DDNS service when the firewall first connects to a DDNS service to register an IP address and at every update.
- Select the Vendor (and version
number) you are using for DDNS service.Palo Alto Networks uses content updates to add new DDNS service providers and to provide updates to their services.
- Configure the Value fields, such as a password that the DDNS service provides to you, and a timeout that the firewall uses if it doesn’t receive an update from the DDNS service.
- View DDNS information for the interface, such as the result of the last FQDN update, and the last time the DDNS service received an FQDN update.