How to setup No-IP Dynamic DNS on Palo Alto PAN-OS 9.0.12

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

How to setup No-IP Dynamic DNS on Palo Alto PAN-OS 9.0.12

L1 Bithead

Good day all,


I spent quite some time figuring out how to setup the No-IP dynamic DNS service on my PA-220 running PAN-OS 9.0.12 and I want to share how I did it as it wasn't a straightforward process for me and I am sure it isn't for others either.


Why do you want to do this?

This will allow you to use a fully qualified domain name (FQDN) to refer to an outside address.  This can be incredibly useful if you use DHCP to receive an external address, because without using a FQDN you would need to update each instance of that external IP when your address changes. This will allow the service running on the firewall to check in with No-IP and update the IP address if it changes.  By default it checks in daily.


What you need

PAN-OS 9.0.0 or higher (I am using 9.0.12 and have not tested it on earlier versions)

Signed up for a dynamic DNS service through No-IP

A Windows 10 PC (you could do this from a different OS but the specific examples below will need to be modified; however, the overall process will be the same and hopefully you find the process helpful)



Palo Alto Dynamic DNS help pages

No-IP website

OpenSSL binaries


Step 1 - Creating a No-IP account and a hostname

Sign up for a No-IP user account and create a dynamic DNS hostname.  In my example I am using as the host. By default it will create an "A" record which is what I want as I am using IPv4. I haven't tried this is IPv6, but it would likely work with an "AAAA" record as this is also supported by No-IP.  You can also used their managed DNS service using your own domain and update an A record using their dynamic DNS service.


You can verify that the hostname has been created by clicking on the "No-IP Hostnames" menu in the Dashboard.

No-IP Dyanmic DNS Menu.PNG

The IP address will default to the IP of the computer you created the hostname from.

Hostname list.PNG

You can also verify that the host hasn't received any updates from the main dashboard for the No-IP service (you see this when you log in).  Once we have setup the service on the Palo Alto this will change.



Step 2: Obtaining the SSL certificates for the No-IP Dynamic DNS service.

You will need to download the SSL certificates from No-IP and install them onto your Palo Alto firewall.  Normally this would be pretty trivial, but it isn't possible to visit their registration site from a web browser.  To get around this we can use OpenSSL and download the certificate from the command line.  Below are the steps to do this.


If you don't already have OpenSSL, you can obtain binaries for your system from the OpenSSL website.  In my example, I use the Win 64 OpenSSL v1.1.1i Light version from Shining Light Productions.  I chose this for no specific reason other than it was the first in the list.  After you have installed the binaries, you will need to open the ""Win64 OpenSSL Command Prompt" from your Windows Start Menu.


The output on the newly opened command prompt should look something like this:



Win64 OpenSSL Command Prompt

OpenSSL 1.1.1i  8 Dec 2020
built on: Tue Dec  8 20:54:45 2020 UTC
platform: VC-WIN64A
options:  bn(64,64) rc4(16x,int) des(long) idea(int) blowfish(ptr)
OPENSSLDIR: "C:\Program Files\Common Files\SSL"
ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"
Seeding source: os-specific




Input the command to grab the certificate: 



openssl s_client -connect



You will notice that the domain for the update service is is and NOT  If you visit with a web browser you will find that you get auto-forwarded to, which makes it very hard to download the certificate from something like a web browser.


After you fund the command, it will output a bunch of text such as the following:



depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *
verify return:1
Certificate chain
 0 s:CN = *
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Server certificate
subject=CN = *

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 3515 bytes and written 401 bytes
Verification error: unable to get local issuer certificate
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)



What we are interested in is the actual certificate.  This is found at the -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- portion.  What we can do is highlight this section (including the Begin Certificate and End Certificate portion into a text document and save it as noipddns.cer.


Next, we need to get the intermediate and root certificates as we will also need to install these on the Palo Alto firewall.  An easy way to do this is to install the certificate that we just downloaded onto our PC and view the certificate chain and export those two certificates. To do this we need to open "Manage User Certificates" from the Windows control panel.


From the certificate manager, right click "Personal", select "All Tasks" and "Import...".

Import Certificates.PNG

From the import wizard that opens, select "Next" which will take you to the "File to Import" screen, click "Browse" on the next screen and navigate to the certificate we saved earlier and then click "Next".


cert selection.PNG

Save it in the personal certificate store, click "Next".

personal store.PNG

Click "Finish" on the next screen. You should get a notification that the import was successful.  Click "OK".

You should now see the certificate.




Next we want to open the certificate to view the certificate path. Double click on * to open the properties window and click on the "Certification Path" tab. 

certification path.PNG

What we want to do next is export the intermediary and root certificates ("Sectigo RSA Domain Validation Secure Server CA" and "Sectigo" respectively).  This way we can install them on the Palo Alto firewall.  First let's export the intermediate certificate.  Click on "Sectigo RSA Domain Validation Secure Server CA" and then click "View Certificate".



From there, click the "Details" tab, and then click "Copy to File".


This will bring up the Certificate Export Wizard.  Click "Next" on the first screen.  The following screen will give you options to export.  Select "Base-64 encoded X.509 (.CER)" and click "Next".


Name it noipintermediate.cer and save it in the same location as the no-ip certificate we saved earlier.

Next we want to export the root "Sectigo" certificate.  Follow the same steps as above, but select "Sectigo" to export and save it as noiproot.cer.  You should now have exported three certificates.


Step 3 - Configuring the Palo Alto firewall

There are a few things that you need to keep in mind with the following steps.  You need to have a working configuration where you are using DHCP on your external layer 3 interface.  In my case it is ethernet1/1, yours may be different.  I have been told that if you have access locked down, you need to ensure that the external interface can talk to the following addresses to conduct updates (I didn't have to do this, so I cannot vouch for this specific information):




	47	IN	A	47	IN	A






Next you can log into your Palo Alto firewall and navigate to the certificates by going to "Device" -> "Certificate Management" -> "Certificates".  We will install the three certificates here.  Click "Import".

First I install the no-ip certificate.  In my case I named it "NoIPCertificate".


You will need to do the same for the intermediate and root certificates that we saved.  When you are done, your certificate tree should look like this:


Next we can create a certificate profile.  The link will be just under "Certificates" or you can get there by going to "Device" -> "Certificate Management" -> "Certificate Profile".  Click "Add". I called the profile "NoIpCertificates".  Click Add.certprofile1.PNG

We will need to add the intermediate and root certificates.



Once you have added them, it should look like this, click "OK".


Your profile should now show up in the list like this:



Next we can configure the Dynamic DNS service.  As I stated above, my external IP is on ethernet1/1, yours may be different.  Click on your appropriate interface.


From there click the "Advanced" tab:


From the advanced tab, click the "DDNS" tab.


Click, "Settings", "Enable", select the certificate profile we created, add the "DHCP" IP, select "No-IP v1" as the vendor, enter the hostname you are using (my example is being used below), and enter your No-IP username and password. Click "OK"


Next we will commit our changes and wait for them to be applied.




The interface page should refresh and you can now mouse-over the features icon for the interface and see the message.

If all is good, you should see something like this:


You can also verify that the service is working by viewing your No-IP Dashboard and seeing that the updates are being received:



If there is an error, you might see something like this:


Since "bad" isn't a terribly helpful return code, we can dig into the logs by navigating to "Monitor" -> "System" and doing a search for DDNS.



(description contains DDNS)



In the example below, we get a better server response that gives us a clue.  In this case it returns "nohost".  I check out the address, and see that there is a typo in the host name I provided.


You will want to ensure that the certificates remain valid. You will need to update them from time to time.  You should see a certificate error in the logs once they have expired as they should be rejected when the service attempts to check in.


Result codes that you will receive back from No-IP can be found on their integration website. These will help you interpret what is happening.


In Closing

I hope that this can help someone out there.  I spent quite some time trying to figure out the certificate portion of this as well as trying to understand what to enter where.



  • 15 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!