GlobalProtect Agent blocks DNS requests

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Agent blocks DNS requests

Cyber Elite
Cyber Elite

I have case open with Palo but was wondering if anyone can verify and get same result as I.

 

I have 0.0.0.0/0 route towards tunnel.

I have Primary and Secondary DNS servers configured in GP Gateway (Network Services tab).

 

When I perform nslookup from Windows command prompt then reply comes only if request is sent towards either Primary or Secondary DNS server in GP config.

If I change it to anything else then nslookup will fail. Wireshark packet capture taken in Windows shows as DNS reply came from DNS server with result "No such name..."

 

Now weird thing is that no requests are logged in firewall. So it seems like Windows GP agent itself is acting as filter and decides what DNS requests are good to pass on and what not 🙂

 

By the way works fine with MAC client.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
5 REPLIES 5

L7 Applicator

@Raido_Rattameister, Hi.

I have just had a call logged with our team for the same reason, have you had any luck or progress with this.

Cyber Elite
Cyber Elite

@Raido_Rattameister,

For whatever reason I'm remembering a conversation around this that I can't seem to find anymore, and I'm not sure it wasn't during a call/conference. Essentially it was determined that Palo Alto was dropping any DNS requests to anything besides the DNS servers configured in the agent, and that while it was a only Windows thing for the time being it didn't stretch into the macOS client due to limitations in how the OS works. 

I suspect that the response will be that this is expected and is how the agent is supposed to be functioning. 

OK @BPry, thanks for your reply.

 

it's not a big deal as using rdp to resolve issue but just wanted to make sure it's not me going nuts!

 

thanks again.

No solution yet.

Yesterday had another screen share with Palo TAC.

Case #00859418

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Does anyone know if they ever fix this?  Or shall we rephrase and say it is a "feature request" to unbreak this. Is there a client version that doesn't stop DNS requests.  I don't see any mention that the GP clients fakes DNS replies to other servers.

 

I can understand offering this for security purposes, but let's not keep it secret.

 

This makes GP client laptops hobbled for network engineers, desktop techs, domain and DNS engineers and many more IT people.  For many this is a foolish "feature".  It has prevented me from troubleshooting repeatedly.

 

  • 4472 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!