topic Re: Issue With DNS Suffix in General Topics

Issue With DNS Suffix

karthikeyanB — Fri, 26 Mar 2021 11:20:48 GMT

Dear Team,

The challenge was that we need to do commit with wildcard in dns suffix ie. *.xyz.com but it failed ( PAN OS 9.1.7).

For workaround we have removed wildcard.

You seen in other firewall with panos 9.1.5 its having dns suffix with wildcard. For resolving dns suffix issue with wildcard,

After upgrading to panos from 9.1.5 to 9.1.7 why wildcard not taking in dns suffix.

Regards

Karthikeyan Balamurugan

Re: Issue With DNS Suffix

nikoolayy1 — Fri, 26 Mar 2021 12:13:43 GMT

In GUI and system log is it written why the commit fails? In the CLI also check the managment plane ms.log and devsrv.log.

Re: Issue With DNS Suffix

Mick_Ball — Fri, 26 Mar 2021 12:24:10 GMT

where exactly are you adding the wildcard suffix?

Re: Issue With DNS Suffix

karthikeyanB — Fri, 26 Mar 2021 12:29:02 GMT

We have added *(Star Symbol) i.e *.abc.com

in 9.1.5 its working ie *.abc.com

But in 9.1.7 *.abc.com is not working so we have changed to abc.com and we commit the changes then its works

Re: Issue With DNS Suffix

karthikeyanB — Fri, 26 Mar 2021 12:29:56 GMT

After removing * symbol its works

Re: Issue With DNS Suffix

karthikeyanB — Fri, 26 Mar 2021 12:38:57 GMT

This is we actually configured

Exclude Access Routes      :     
	DNS Servers                :      172.25.225.15
	DNS Suffix                 :     *.ibm.com abc.com xyz.com 123.com 
	config name                :  GW_Twitter_WFH
	User Groups                :     cn=palo_ssl_vpn_twitter,ou=groups,ou=special,ou=gps_bangalore_mtp,

Re: Issue With DNS Suffix

Mick_Ball — Fri, 26 Mar 2021 13:03:30 GMT

are you adding this to a GP gateway\agent\network services.

could you post the cli command that you are using for this. or is it done via GUI.

Re: Issue With DNS Suffix

karthikeyanB — Fri, 26 Mar 2021 13:22:06 GMT

yup, the configuration done by GUI only

Re: Issue With DNS Suffix

Mick_Ball — Fri, 26 Mar 2021 13:23:24 GMT

OK but where in the GUI

Re: Issue With DNS Suffix

karthikeyanB — Fri, 26 Mar 2021 13:39:40 GMT

Re: Issue With DNS Suffix

Mick_Ball — Fri, 26 Mar 2021 13:48:34 GMT

OK thanks for the information.

I cant work out why you would ever need a wildcard in a dns search suffix.

how does that even work?????

if you add suffix "abc.com" and ping "fred" then your dns server will try to resolve "fred.abc.com".

if you add suffix "*.abc.com" and ping "fred" are you expecting the dns to resolve to "fred.(any name).abc.com"

i don't think this has ever worked as expected and perhaps earlier versions just ignored the error and the later versions now error check this field.

Re: Issue With DNS Suffix

Mick_Ball — Fri, 26 Mar 2021 13:54:28 GMT

I can't even add that to my gateway config without an error...

Re: Issue With DNS Suffix

nikoolayy1 — Fri, 26 Mar 2021 14:03:39 GMT

In the Palo Alto documentation it should work as they give examples with *.target.com or * .gmail.com. Try adding only the DNS suffix *.ibm.com without any others as test and then contact the Palo Alto TAC as it seems as a bug. I have seen an issue bug where this wildcard suffix needs to be the last domain in the list, this is why I suggest testing this before the tac case.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split...

Also this optimized split tunneling was added inm 8.1 version and again they give examples with *.<domain-name>

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel-for-public-applications.html

Also double check your globalprotect license just in case as this option is inluded with it not with the normal license. I don't think this is the issue but just in case.

Re: Issue With DNS Suffix

Mick_Ball — Fri, 26 Mar 2021 14:03:36 GMT

Hi @nikoolayy1

I think you are referring to split tunnel domains.

I think the setting that is having issues is the DNS search suffix here... Network Services

Re: Issue With DNS Suffix

karthikeyanB — Fri, 26 Mar 2021 14:50:47 GMT

MickBall

Yes we hav facing the issue here on network services

Re: Issue With DNS Suffix

Mick_Ball — Fri, 26 Mar 2021 14:53:49 GMT

I don't think a wildcard in network services has ever worked.

what do you expect to gain from this wildcard.

Re: Issue With DNS Suffix

karthikeyanB — Fri, 26 Mar 2021 14:57:16 GMT

No it was totally customer expectation .

Re: Issue With DNS Suffix

Mick_Ball — Fri, 26 Mar 2021 15:02:49 GMT

OK so ask the customer what they expect to achieve by having a wildcard in a DNS search suffix.