Assigning DNS A-record to GlobalProtect Client?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Assigning DNS A-record to GlobalProtect Client?

L1 Bithead

Hello PA Community!

 

We migrated to laptops and GlobalProtect always-on pre-login VPN solution several months back. We are currently at a point where around 50% of our clients haven't talked to WSUS in quite some time because their DNS records are getting all mixed up. We have some clients with a DNS A-record on the old trusted DHCP scope, some with a DNS A-record of the GlobalProtect assigned IP, and some with a mix of both or none. Some time back, I turned off Dynamic DNS updates on the old wired DHCP scope so that clients would stop getting assigned those addresses. Unfortunately, this only seemed to muddle the water rather than solve anything.

 

I can't seem to find good documentation, but I am looking for recommendations / best practices for managing DNS A-records to our GlobalProtect clients for patch management purposes. Furthermore, we have some clients (us admins) that get a pre-login IP followed by receiving a specific (different) IP on user connect - yet in some cases the pre-login IP gets assigned to our machine name when the tunnel is created rather than the normal IP.

 

I opened a case on this some time ago, but did not get the answers I was looking for. I'm hoping someone here in the community has run into similar issues and found a solution for it. Environment is all Windows 10 with LDAP auth, Panos 8.0.x and GP client 3.1.5.

 

Thanks everyone!

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello,

From where are the clients getting their DHCP leases from now? If its a windows server I would make sure that that the DHCP server has the sufficient rights to modify DNS records. Also make sure the scope can register the names in DNS.

 

image.png

 

Also enabling DNS scavaenging is a good thing and delete any client/laptop records that have static records (unless they are really need), otherwise let DHCP do the DNS updates.

 

Hope that helps.

Hi @ihealey

 

When clients are connected with GP, there is no other method than the clients register themselfes to DNS (AD joined computers) - or you have to create a custom solution that gets the connected computers and thwn adds/updates the records in the DNS accordingly.

 

Also for the GP part: we use already version 4. And there we also had the problem where we didn't had DNS entries. Then suddenly version 4.0.5 came out with the fix for a problem that prevented DNS updates from computers connected with GP. So our solution was an update to 4.0.5 or higher. This problem was NOT mentionned in the known issues list, so may be this problem also exists in 3.1.x. Maybe you should ask support about this...

 

If DNS internally isn't working properly the root cause probably is also somewhere else - but in case you enforce GP for network access I am not absolutely sure about this - possible that it is also GP related.

 

Regards,

Remo

  • 5274 Views
  • 2 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!