Is it possible to enable url redirection in PaloAlto?

Reply
Highlighted
L4 Transporter

Is it possible to enable url redirection in PaloAlto?

Hi All,

Scenario: We have the web server for example.com in trust zone, Any person can access it by anywhere due to destination NAT in firewall with public IP for example.com.

Problem : As we don't have internal DNS server which resolves the example.com, due to this all the request from LAN to example.com is going to internet(public DNS)  and coming back to our DMZ, huge traffic. 

Is it possible ? :               When the request traffic for example.com hits the LAN interface then that traffic should get redirected back to the server hosted internally through the same LAN interface.

Thank you  in advance,...

Guru

Highlighted
L7 Applicator

Hello Guru,

As per my understanding, the Palo Alto Networks firewall cannot be used as a DNS Server. The firewall can, however, point to DNS server as a DNS Proxy.:

Can the Palo Alto Networks Firewall be Configured as a DNS Server?

How to Configure DNS Proxy on a Palo Alto Networks Firewall

How to Configure Caching for the DNS Proxy

The primary problem is, the end user machine will directly send the DNS request to the external server ( not to the PAN firewall).

Thanks

Highlighted
L2 Linker

You can add a NAT rule so that the traffic from an internal network to one of your public IP addresses is translated to an internal address.

Name: Example DNS Fixup

Source zone: Inside

Destination zone: Outside

Original packet:

     Destination address: (specify the public IP address)

Translated packet:

     Destination translation: (specify the internal IP address)

You can specify multiple source zones. And, good management practices would also use address object names rather than bare IP addresses.  For us, we also append "_ref" to the names of our public addresses. That provides a quick sanity check on internal versus external addresses.

dns-fixup.png

Highlighted
L7 Applicator

With the help of U-turn NAT, actual traffic can be redirected to the internal server: U-Turn , but still DNS query will go to the internet for DNS resolution.

U-turn-NAT.jpg

Thanks

Highlighted
L7 Applicator

Hello Gururaj,

Just for testing, could you please configure DNS proxy on the PAN firewall and add a static entry for www.example.com.

Ref doc: How to Configure DNS Proxy on a Palo Alto Networks Firewall

Hope this helps.

thanks.

Highlighted
L7 Applicator

The feature you really want is called DNS doctoring.  With DNS doctoring when you configure a nat the firewall with "doctor" the DNS response from internal clients to present your internal ip address instead of the public one.  DNS doctoring is not yet a feature on the Palo Alto.  Contact your sales team and ask if there is a Feature Request pending you can add a vote for.

In the mean time, if you setup DNS proxy from the link Hulk provided, you can perform the following steps to have your setup act as desired.

1-configure the DNS proxy

2-add static entries (step 5 in the documentation) with the internal address for all your server resources

3-change you DHCP server to present the PA as the DNS server for your LAN

4-update any static computers to use the PA for DNS

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!