topic New RN-SPN in Prisma Access Discussions

New RN-SPN

Sanjay_Ramaiah — Wed, 29 Oct 2025 19:42:24 GMT

Hi Team,

Today I created a new RN-SPN in one of the US location and I see the Service Endpoint Address is being displayed with the FQDN.

Have created multiple nodes before and never saw an FQDN and it use to be IP address always.

Just wanted to confirm if this is something which is new and will the IP address the FQDN resolving now will be static or will it change frequently?

Re: New RN-SPN

nikoolayy1 — Fri, 31 Oct 2025 15:45:38 GMT

I suggest seeing Prisma Access SASE Extra Security Tips and Features | Palo Alto Networks point 8. Now there is Network LB infront of the MU-SPN and I suspect the same is for RN-SPN as when there is auto scale event the LB will have more SPN added. If this changes often it could depend on AWS or GCP as Prisma Access uses those and their Network LB. Is the FQDN aws or gcp one maybe that will give a clue as if not then Prisma uses AWS Route 53 or the GCP similar service and not the native FQDN given to a Network LB ?

Also if it was an IP address then as mentioned in Get Notifications When Prisma Access IP Addresses Change you needed to monitor when there is a change as there is no predefined window like every 6 months etc while with DNS this seems much simpler and it is mentioned in Remote Networks: Service Endpoint Address and Egress IP Address Allocation you can either get ip (probably legacy) or FQDN.

Re: New RN-SPN

nikoolayy1 — Fri, 21 Nov 2025 07:41:19 GMT

Just to correct myself an LB seems to be used only in MU-SPN as users VPN traffic can be load balanced to different instances.

Still the rest for the DNS is the same as even if the IP changes the DNS stays the same and with a small DNS TTL your device will make new requests to get the new IP, Just need to check that your on-prem device does not just resolve one time DNS FQDN but I think all new on-prem routers or Firewalls now work normally and will do a new request after the DNS TTL is over.