VPN peer ID

speedy_1s — Mon, 13 Apr 2026 05:21:04 GMT

Hi guys,

we have a 3rd party VPN peer who must set the Peer Identification value, the tunnel works fine, but on their side the tunnel ID IP address can change depending on whether they are on their active or standby firewall, and that means we need to update config and push policy to get it online (this is a regular occurrence)

I thought about using an fqdn entry, and updating the A record as needed as its a bit less touch than a firewall change. But I am wondering, can we have the fqdn point to an A record that resolves to 2 IP addresses? I know DNS side its fine but any idea if the palo will work, I somewhat suspect it will only take the first returned address and ignore the second but interested to know if anyone has tried it, Its a prod tunnel so I cant really test it myself

Re: VPN peer ID

abayoumi21 — Thu, 16 Apr 2026 11:15:32 GMT

I am confused about the meaning of this topic. Could you explain the issue related to the real IP address of a third party? Consider this IP as a dynamic peer type and develop the configuration based on that, as mentioned in the provided link. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0.

topic Re: VPN peer ID in Next-Generation Firewall Discussions

VPN peer ID

Re: VPN peer ID