Issue With DNS Suffix

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issue With DNS Suffix

L3 Networker

Dear Team,

 

The challenge was that we need to do commit with wildcard in dns suffix ie. *.xyz.com but it failed ( PAN OS 9.1.7).

For workaround we have removed wildcard.

 

You seen in other firewall with panos 9.1.5 its having dns suffix with wildcard. For resolving dns suffix issue with wildcard, 

 

After upgrading to panos from 9.1.5 to 9.1.7 why wildcard not taking in dns suffix.

 

Regards

Karthikeyan Balamurugan

17 REPLIES 17

L6 Presenter

In GUI and system log is it written why the commit fails? In the CLI also check the managment plane ms.log and devsrv.log.

L7 Applicator

where exactly are you adding the wildcard suffix?

L3 Networker

We have added *(Star Symbol) i.e *.abc.com

 

in 9.1.5 its working ie *.abc.com

 

But in 9.1.7 *.abc.com is not working so we have changed to abc.com and we commit the changes then its works 

After removing * symbol its works

This is  we actually configured 

 

Exclude Access Routes      :     
	DNS Servers                :      172.25.225.15
	DNS Suffix                 :     *.ibm.com abc.com xyz.com 123.com 
	config name                :  GW_Twitter_WFH
	User Groups                :     cn=palo_ssl_vpn_twitter,ou=groups,ou=special,ou=gps_bangalore_mtp,

 

are you adding this to a GP gateway\agent\network services.

 

could you post the cli command that you are using for this. or is it done via GUI.

yup, the configuration done by GUI only

OK but where in the GUI

suffix issue.pngIBM Wildcard Issue.JPG

OK thanks for the information.

I cant work out why you would ever need a wildcard in a dns search suffix.

how does that even work?????

 

if you add suffix "abc.com" and ping "fred" then your dns server will try to resolve "fred.abc.com".

if you add suffix  "*.abc.com" and ping "fred" are you expecting the dns to resolve to "fred.(any name).abc.com" 

 

i don't think this has ever worked as expected and perhaps earlier versions just ignored the error and the later versions now error check this field.

I can't even add that to my gateway config without an error...

 

MickBall_0-1616766852437.jpeg

 

L6 Presenter

In the Palo Alto documentation it should work as they give examples with *.target.com or * .gmail.com. Try adding only the DNS suffix *.ibm.com without any others as test and then contact the Palo Alto TAC as it seems as a bug. I have seen an issue bug where this wildcard suffix needs to be the last domain in the list, this is why I suggest testing this before the tac case.

 

 

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split...

 

 

 

Also this optimized split tunneling was added inm 8.1 version and again they give examples with *.<domain-name>

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel...

 

 

Also double check your globalprotect license just in case as this option is inluded with it not with the normal license. I don't think this is the issue but just in case.

Hi @nikoolayy1 

I think you are referring to split tunnel domains.

 

I think the setting that is having issues is the DNS search suffix here... Network Services

MickBall_0-1616767394167.jpeg

 

MickBall

 Yes we hav facing the issue here on network services

  • 7739 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!