What support does the Palo Alto Firewall offer in terms of forwarding on mDNS (multicast DNS, more specifically Apples Bonjour Service)?
I have a customer where they have the student and staff wireless network on a seperate VLAN, with the Palo Alto Captive Portal as the only route out. Will it require to add a "hardened" apple server to the same network or will the Palo Alto allow to pass the requests through?
With more iPads wanting to be hooked up to Apple TV or Printing from iPads, I would welcome any potential input or any document you could offer.
Secondly, is there any document on how to configure the DNS proxy available?
A workaround could be to setup your dhcp server to instruct your wifi clients to use particular dnsservers instead of this mDNS mumbojumbo.
If you dont have your own resolvers you could use googles at 22.214.171.124 and 126.96.36.199 or some of the public ones provided by opendns.
I am sorry; could not understand that in terms of configuration. I assume when you mean DHCP server, it is the DHCP server on the Palo Alto.
The issue is; can Palo Alto work as the DNS Server (my experience says NO, but if there was any other way)? because in this case, i am trying to have the Palo as the DNS server.
Hope you understand by what I meant...
When the client requests dhcp information some dhcp server on your network will reply (if you use dhcp unless you use static addressing).
I dont know if you run your PA as dhcp server or if you have a dedicated box for this task. Either way you can configure the dhcp server to not only tell the client which ip address to use, which netmask to use and which default gateway to use - but also which dns1 and dns2 the client should use.
If you dont have your own dns-resolvers on a DMZ or such you can use public dns-servers. Two available (from Google) is one with ip address 188.8.131.52 and one with ip 184.108.40.206 (given that your clients are allowed to reach Internet).
This way you dont need to allow mDNS through your PA device (unless I completely misunderstood your case?).
In this case; the DNS resolvers should be the Palo Alto Firewall. Hence I was thinking of having the mDNS to be allowed by Palo Alto. Makes any sense..?? :smileyhappy:
DNS and mDNS shouldn't be confused. mDNS is a broadcast on that VLAN to specific UDP ports. The broadcast advertises what the client can do; like Screen Sharing or AirPlay. What you're looking for is a Bonjour Gateway.
If you have all your VLANs running through the Palo Alto, you could try creating a multicast rule between the VLANs/Zones with these UDP ports being allowed: 554,54780,62572,5353,5298,5297
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!