- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
mDNS (Apple Bounjour) between two VLANs through a PA
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- mDNS (Apple Bounjour) between two VLANs through a PA
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
mDNS (Apple Bounjour) between two VLANs through a PA
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-13-2016 10:39 PM - edited 09-13-2016 10:41 PM
Hi,
this is the scenario:
- a PA with two physical L3 interfaces (1 zone per interface, 1 subnet per interface, we call them A and B).
- I have a device in Subnet A which is an Airport thing with a printer attached. Devices in Subnet A they can discover the printer via the Apple Bonjour service
- Devices in Subnet B cannot discover the printer in subnet A
- Traffic from/to these two subnets is completely allowed, no restrictions whatsover, and no NAT.
- Both subnets and devices have the PA interface as default gateway
- i am running 7.1
What i did:
- in network-router, i edited the existing virtual router, went to "Multicast" and enabled Multicast. -
- RP Static, RP Interface is the Subnet A interface, RP Address the Subnet A interface address
- Group list: 224.0.0.0/4
- Remote Rendevous point: empty
Interfaces: Subnet A interface, Subnet B Interface IGMP/PIM enabled
- added policy from Subnet A zone and Subnet B zone to "Multicast" zone all allowed
- and committed
Still from Subnet B i cannot see the airport via the multicast Bonjour service. Ideas?
thanks heaps
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2016 09:27 AM
By default, Bounjour only works in a single broadcast domain so it won't traverse the firewall.
To get Bonjour to work across subnets, you need to use wide area Bonjour by creating specific DNS entries.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-20-2016 02:29 AM
thanks RFalconer.
after a lot more reading, i found out that Bonjour sets ttl=1 by default so crossing a router, although possible, will decrease ttl to 0 and the packet it is discarded. This is by design.
Multicast routing although possible, it will not serve this purpose hence it won't work.
The only way to handle this is to use a bonjour gateway which is a feature some vendors offer, like Aruba or Cisco Meraki.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-24-2019 06:05 PM
How can this be accomplished? Can you forward local mDNS queries (224.0.0.251) to something routable (224.0.1.251)? Is that what you're suggesting to cross zones?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-27-2020 12:54 PM - edited 08-27-2020 12:55 PM
If you are reading this in 2020, support for Bonjour has been added to PAN-OS version 10.0.1.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-01-2020 10:34 PM
When will PAN-OS 10.0.1 be released?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-02-2020 11:24 AM
Mid-September is the estimated target.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-03-2020 08:53 PM
10.0.1 just landed, however this feature is only supported on PA-220, PA-800 and PA-3200... It is not supported on PA-VM.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-13-2020 02:46 AM
I did some testing on a PA 220. It works well so far.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-14-2020 06:59 AM
Can You give some instructions please ? Is there any official paper ?
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
