Dynamic DNS Workflow for Mobile Users—GlobalProtect

1. GlobalProtect establishes an SSL tunnel between the GlobalProtect endpoint and an on-premises or Prisma Access gateway.
2. GlobalProtect sends the mobile user device’s hostname, domain name, and tunnel IP address information through the tunnel to the on-premises or Prisma Access gateway.
3. The on-premises gateway or Prisma Access forwards this information as GlobalProtect events to Strata Logging Service.
4. The Prisma Access Cloud Services plugin probes Strata Logging Service every 15 minutes to update the DNS server.
   If the plugin does not receive the GlobalProtect events from Strata Logging Service, it retries the request a maximum of five times. If the retry requests were not successful, the plugin retries the operation every 15 minutes for a maximum of four times. Therefore, the plugin can receive updates for a time interval of one hour.
   If you want more frequent updates, you can enter the debug plugins cloud_services set-gp-ddns-interval command to change the update interval to five minutes. A is not required to update the time interval. If you change the interval to five minutes, the Cloud Services plugin can update a maximum of 15,000 records with a network latency of 50 msec and can receive updates for a time interval of 20 minutes.
   • No Commit is required after you change the time interval using the command.
   • These numbers are from a controlled environment and real-world operating conditions can affect these numbers.
5. After receiving the updates from Strata Logging Service, the Cloud Services plugin packages A and PTR records as NSUPDATE, and updates the primary DNS server every 15 minutes.
   If you changed the time interval to five minutes using the debug plugins cloud_services set-gp-ddns-interval command, the plugin updates the DNS server every five minutes.
   If the plugin is unable to update the DNS server through NSUPDATE, the plugin retries the update operation a maximum of five times. If the updates were not successful, the plugin retries the update operation every 15 minutes, or every five minutes if you changed the interval to five minutes, for a maximum of four times. Therefore, the plugin tries to update the events that are logged for a maximum of one hour (if you use a 15-minute interval) or 20 minutes (if you use a five-minute interval), after which it starts afresh.
6. After the A and PTR records of GlobalProtect mobile users are available in the DNS server, an IT administrator or an enterprise software uses these records through a DNS or RDNS lookup and resolves the endpoint name or IP address.
7. The IT administrator or the endpoint management software uses this information to manage the endpoint or push software updates.

Dynamic DNS Guidelines and Requirements

• Your client endpoints must be domain joined.
• Update your GlobalProtect client to the following GlobalProtect app versions based on your OS:
  • Windows: 5.2.11 or later
  • Mac: 5.2.11 or later
  • Linux: 5.3.3 or later
• Enable if you use an on-premises gateway other than Prisma Access.
• An Infoblox DNS server with a minimum version of 8.6.1 or later that supports DDNS updates through NSUPDATE is required.
• Multitenant Prisma Access deployments do not support DDNS.
• Save the authentication key from your DNS server in base64 format with a file extension of .key. You can upload the key only in this format in Prisma Access.
• Enable NTP on your DNS server and ensure that it is same as that of Prisma Access.
• Create zones in Infoblox for reverse PTR and forward A addresses.