Dynamic DNS Support for Firewall Interfaces

Configure the firewall to use a Dynamic DNS (DDNS) service to update your domain name-to-IP address mappings so DDNS provides accurate IP addresses to DNS clients, which can access services behind the firewall.
When you have services hosted behind the firewall and use destination NAT policies on the firewall to access the services, or when you need to provide remote access to the firewall, you can register the interface’s IPv4 address changes (dynamic or static address) and IPv6 address changes (static address only) with a dynamic DNS (DDNS) service provider. The DDNS service automatically updates the domain name-to-IP address mappings, so that it can provide accurate IP addresses to DNS clients, which in turn can access the firewall and services behind the firewall. DDNS is often used in branch deployments that are hosting services. Without DDNS support for firewall interfaces, you would need external components to provide accurate IP addresses to clients.
The firewall currently supports the following DDNS service providers: DuckDNS, DynDNS, FreeDNS Afraid.org Dynamic API, FreeDNS Afraid.org, and No-IP. The individual DDNS service provider determines the services it provides, such as how many IP addresses it supports for a hostname, whether it supports IPv6 addresses, and other factors. Palo Alto Networks uses content updates to add new DDNS service providers and to make service provider updates available to you.
  1. Before configuring DDNS, determine the hostname that you registered with your DDNS provider.
  2. Obtain the public SSL certificate from your DDNS provider and import it into the firewall.
  3. Configue DDNS for a Layer 3 interface.
    1. EnableDDNS for an Ethernet or VLAN interface or subinterface and enter the Hostname for the interface, which exactly matches the hostname you registered with the DDNS service.
    2. Select one or more IPv4 or IPv6 addresses assigned to the interface.
    3. Create a certificate profile or select a certificate profile to verify the SSL certificate of the DDNS service when the firewall first connects to a DDNS service to register an IP address and at every update.
    4. Select the Vendor (and version number) you are using for DDNS service.
      Palo Alto Networks uses content updates to add new DDNS service providers and to provide updates to their services.
    5. Configure the Value fields, such as a password that the DDNS service provides to you, and a timeout that the firewall uses if it doesn’t receive an update from the DDNS service.
    ddns_screenshot.png
  4. View DDNS information for the interface, such as the result of the last FQDN update, and the last time the DDNS service received an FQDN update.

Related Documentation