topic Re: DynDNS client on PANOS 9.0 in General Topics

DynDNS client on PANOS 9.0

StevenEerdekens — Sun, 03 Mar 2019 09:37:23 GMT

Hi,

I'm trying to setup DynDNS based on the instructions found at https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-dynamic-dns-for-firewall-interfaces.html

I'm using DuckDNS, but I'm stuck at the 'certificate profile' portion. As I understand it correctly I have to import the (public) SSL certificate of DuckDNS, but this is not provided by them.

I don't understand why this is needed since their certificate is signed by Starfield CA, which is already in the list of 'Default Trusted Certificate Authorities' on the Paloalto firewall.

Also other DynDNS provides such as DYN don't seem to provide their public certificates for download.

Re: DynDNS client on PANOS 9.0

Remo — Sun, 03 Mar 2019 21:02:46 GMT

Hi @StevenEerdekens

The public cert is always public available. It is send in every tls connection that you establish to duckDNS. In your browser you can see the cert also when you check the tls certificate of the website.

The duckDNS cert is this one here:

But for the cert profile you should use the intermediate cert which signed the duckdns cert.

Hope this helps.

Regards,

Remo

Re: DynDNS client on PANOS 9.0

StevenEerdekens — Sun, 03 Mar 2019 22:05:52 GMT

Hi Remo,

The Duckdns.org cert is signed by Starfield Secure CA GW, so I tried to import the Root G2 and intermediate G2 certificate found on http://certs.starfieldtech.com/repository/

But I still see the following error in the system log when filtering ddns type entries: Server response: 'Peer certificate cannot be authenticated with given CA certificates'

Any clue?

Thanks!

Re: DynDNS client on PANOS 9.0

OtakarKlier — Mon, 04 Mar 2019 17:28:57 GMT

Hello,

Install the highest certificate in the chain.

The Starfield Root Certificate.

See if that helps.

Re: DynDNS client on PANOS 9.0

StevenEerdekens — Tue, 05 Mar 2019 13:40:03 GMT

I've got it running now.

The root certificate was already installed, but I had to import a different intermediate bundle: https://ssl-ccp.secureserver.net/repository/sf_bundle-g2-g1.crt

Thanks
Steven

Re: DynDNS client on PANOS 9.0

MichaelJay — Sat, 24 Aug 2019 04:43:11 GMT

I've been having the same issue with DuckDNS DDNS via the Palo Alto and finally got it to work after what seems like hours of downloading certificates from Starfield and trying different combinations... as this was the only post I've been able to find with anything relevant I thought I would add what finally worked for me.

I tried multiple different combinations of intermediate certificates and adjusting other settings.

What finally worked was using Firefox, going to www.duckdns.org, opening the SSL certificate properties and exporting the root certificate and each of the intermediate certificates down the chain in order (I numbered the three of them for simplicity.) I then cleared out other test certificates, imported them in order one by one setting the very top one as a Trusted root CA - but not setting any of the intermediates as trusted root CAs and I did not import the DuckDNS certificate itself. I then created a new Certificate Profile and added each of the certificates to the profile in order, set the Certificate Profile that I created in the dynamic DNS profile and saved it.

Low and behold a test "dns-proxy ddns update interface name vlan" in the CLI finally worked, when I checked the logs under Monitor -> Logs -> System -> ( subtype eq ddns )

For reference, the Advanced -> DDNS -> Hostname entry was set as the DDNS hostname *without* the .duckdns.org appended. API Host at www.duckdns.org, Base URI at /update, Secret Token pasted in with no spaces or other characters (generally the default DuckDNS v1 settings with my own private key.

Hopefully that saves someone some of the same headaches - seems strange that these aren't trusted by default with OEM provided Certificate Profiles for each service in the OEM provided DDNS profiles.

Re: DynDNS client on PANOS 9.0

Vincent-Satori — Sat, 30 Nov 2019 15:55:19 GMT

Thanks a lot @MichaelJay you saved me a huge headaches on my no-ip dyndns situation... I was about to throw my Palo by the windows. Now need to understand why my GP portal wont pop up ... if you have any insight would be nice

Re: DynDNS client on PANOS 9.0

MichaelJay — Tue, 03 Dec 2019 17:17:04 GMT

Vincent, very glad to hear that it worked, I wasted way too many hours trying assorted settings!

As far as the GP portal popup, I would probably suggest opening a new conversation on topic and giving a lot more detail on what you're having trouble with. I'm not sure what you mean exactly... As far as the GP VPN client which connects to the portal and then the gateway to establish the VPN, we had to make sure a single certificate was issued to each machine from our CA and trusted by the Palo, and remove all duplicate certificates from the clients. There is a setting to enable prompting for authentication, if it's disabled it won't pop-up an authentication request and will only try to do single sign-on authentication. For SSO you need to make sure that you are signing in to the workstation with the GP "credential provider" in windows (should be a globe icon under "more options" before you login, and only shows up after GP is installed.) We also had issues with pre-logon split tunnel settings not refreshing to per user split tunnels - so had to duplicate the settings to make it work. This was a fairly involved setup with a lot of moving parts and multiple TAC calls to iron things out. If you mean some other aspect, I don't have any tips off hand. Hopefully you get it figured out easily.

Re: DynDNS client on PANOS 9.0

XaiVang — Thu, 26 Dec 2019 21:19:29 GMT

Weird, i believe i did the same exact thing but it is still not working for me. Do you mind taking some screen shots of certificates and certificate profile?

Re: DynDNS client on PANOS 9.0

StevenEerdekens — Fri, 27 Dec 2019 08:59:36 GMT

@XaiVang, here you are

Re: DynDNS client on PANOS 9.0

XaiVang — Fri, 03 Jan 2020 03:10:48 GMT

Thank you @StevenEerdekens!!! Worked like a charm!!! Appreciate your help!

Re: DynDNS client on PANOS 9.0

StevenEerdekens — Fri, 03 Jan 2020 09:40:08 GMT

Glad to hear!

Re: DynDNS client on PANOS 9.0

Rick_Lowery — Fri, 03 Jan 2020 21:44:24 GMT

Steven,

Thank you very much for taking the time to post this. I feel like the biiggest "rock" in the world right now. I have been trying for two days to download the right files to get this to work. I thought I had them, but it continues to fail according to system logs. Is there any chance you could export the files that worked for you and let me know what order you have listed in the profile? I would be more then greatful and would add you to next years christmas card list 🙂 Seriously, and help would be much appreciated. Thanks, Rick

Re: DynDNS client on PANOS 9.0

Rick_Lowery — Sun, 05 Jan 2020 19:31:41 GMT

I have been working this for days. I'm thinking it is something else. Can anyone please tell me why I would get a Timeout message? Could it be policy related?

( description contains 'Interface ethernet1/1 DDNS update to DuckDNS v1 unsuccessful for host mybighost with 108.10.11.34 Server response: Timeout was reached' )

*Note I changed host and IP for privacy purposes.

Re: DynDNS client on PANOS 9.0

Rick_Lowery — Sun, 05 Jan 2020 21:16:33 GMT

Figured it out. I had to change the service route configuration under /Device/Services/ServiceRouteConfiguration so the traffic would go out the WAN and not the default MGMNT interface.

Re: DynDNS client on PANOS 9.0

MPipes — Tue, 26 May 2020 20:32:35 GMT

Hey Rick.

I've been having a similar problem for while. I solved it by making the URL filtering categories of 'high-risk' and 'dynamic-dns' to alert or allow. Then I imported the certificates I got from a packet capture to that IP. Those certificates were different than what Firefox provided me with. You can find them here:

Starfield Class 2 Certification Authority Root Certificate

Starfield Secure Server Certificate (Cross Intermediate Certificate)

Starfield Secure Server Certificate (Intermediate Certificate) - G2

and finally DuckDNS's certificate (note: you will need to save that as a .pem file)

Then I selected all three Starfield certificates in my certificate profile

After commiting I went to the CLI and ran these commands:

test dns-proxy ddns update interface name ethernet1/1

show dns-proxy ddns interface name ethernet1/1

The return code was good.

Hope this helps

Re: DynDNS client on PANOS 9.0

RBecirovic — Thu, 04 Mar 2021 20:44:25 GMT

I tried all of the recommendations that were described here. None of them worked. I am currently with a setup and recommendation from MPipes and ddns is not working with DuckDNS service.

error i am getting: 'Interface vlan.10 DDNS registration to DuckDNS v1 unsuccessful for host #####.duckdns.org with 10.xx.xx.4 Server response: Couldn\'t connect to server'

Certificates imported:

Certificate profile setup:

in my setup I am using vlan that has internet access and setup is as following:

vlan.10 == PA220 == eth1/1 == NAT router = ISP (no security profiles are used in security policy allowing traffic to internet)

Anyone with an idea what to do, what to troubleshoot?

I tried all of the previous recommendations and combinations with certificates and i am out of ideas. Any help more than welcome.

Re: DynDNS client on PANOS 9.0

MPipes — Sat, 06 Mar 2021 03:49:20 GMT

Make sure you imported the certificates as Trusted Root CA Certificates. I also imported DuckDNS's certificate

Re: DynDNS client on PANOS 9.0

RBecirovic — Mon, 08 Mar 2021 09:50:44 GMT

updated certificates as Trusted CA and imported DuckDNS cert too.

DuckDNS cert cannot be imported under cert profile since it is not a CA certificate.

I am still getting the same error: "Interface vlan.10 DDNS registration to DuckDNS v1 unsuccessful for host ####.duckdns.org with 10.XX.XX.4 Server response: Couldn't connect to server."

after i checked the traffic logs and url logs, whenever i run the "test dns-proxy ddns update interface name vlan.10"

it only generates logs under system logs, no traffic logs for the source.

also debug dataplane shows no logs:

duckdns.org is resolved to 35.165.107.187.

having in mind that vlan.10 interface is local firewall interface that has to match fw policy and nat policy in order to reach to internet ran packet-diag:

admin@PAFW> debug dataplane packet-diag show setting

--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: yes
Index 1: 10.xx.xx.4/32[0]->35.165.107.187/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
Index 2: 35.165.107.187/32[0]->10.xx.xx.4/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: yes
Log-throttle: no
Sync-log-by-ticks: yes
Features:
flow : basic ager np arp receive ha nd mcast log track cluster pred
ctd : basic
ssl : basic
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: yes
Snaplen: 0
Username:
Stage receive : file duck-receive
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage firewall : file duck-firewall
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage transmit : file duck-transmit
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
Stage drop : file duck-drop
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------

perhaps i might be wrong, but i do think that pa220 is not making requests to duckdns when i run test dns-proxy ddns update interface name vlan.10, and there is no ssl session for that matter to use certificate profiles.

Re: DynDNS client on PANOS 9.0

RBecirovic — Thu, 11 Mar 2021 11:20:52 GMT

Based on my previous update and further digging, the PA was not initiating traffic due to incorrect (default) service route configuration. After changing the setting and placing vlan.10 instead of default value DuckDns started to update properly.