Read
the following sections to get an overview of how DDNS works, guidelines and
requirements, and how to enable it.
GlobalProtect
establishes an SSL tunnel between the GlobalProtect endpoint and
an on-premises or Prisma Access gateway.
GlobalProtect sends the mobile user device’s hostname, domain name,
and tunnel IP address information through the tunnel to the on-premises or
Prisma Access gateway.
The on-premises gateway or Prisma Access forwards this information as
GlobalProtect events to Strata Logging Service.
The Prisma Access Cloud Services plugin probes Strata Logging Service
every 15 minutes to update the DNS server.
If the plugin
does not receive the GlobalProtect events from Strata Logging Service,
it retries the request a maximum of five times. If the retry requests
were not successful, the plugin retries the operation every 15 minutes
for a maximum of four times. Therefore, the plugin can receive updates
for a time interval of one hour.
If you want more frequent
updates, you can enter the debug plugins cloud_services set-gp-ddns-interval command
to change the update interval to five minutes. A is not required
to update the time interval. If you change the interval to five
minutes, the Cloud Services plugin can update a maximum of 15,000
records with a network latency of 50 msec and can receive updates
for a time interval of 20 minutes.
- No Commit is
required after you change the time interval using the command.
- These numbers are from a controlled environment and real-world
operating conditions can affect these numbers.
After receiving the updates from Strata Logging Service, the Cloud Services
plugin packages A and PTR records as NSUPDATE, and updates the primary
DNS server every 15 minutes.
If you changed the time interval
to five minutes using the debug plugins cloud_services set-gp-ddns-interval command,
the plugin updates the DNS server every five minutes.
If the
plugin is unable to update the DNS server through NSUPDATE, the plugin
retries the update operation a maximum of five times. If the updates were
not successful, the plugin retries the update operation every 15
minutes, or every five minutes if you changed the interval to five
minutes, for a maximum of four times. Therefore, the plugin tries
to update the events that are logged for a maximum of one hour (if
you use a 15-minute interval) or 20 minutes (if you use a five-minute
interval), after which it starts afresh.
After the A and PTR records of GlobalProtect mobile users
are available in the DNS server, an IT administrator or an enterprise
software uses these records through a DNS or RDNS lookup and resolves
the endpoint name or IP address.
The IT administrator or the endpoint management software
uses this information to manage the endpoint or push software updates.
The
following figure illustrates this workflow.