Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-08-2020 10:49 AM
Hello,
I have deployed a GlobalProtect gateway in an office that uses a different domain than our own. To that end, I have added their dns suffix to the gateway but when I connect onto that gateway, the suffix is never appended. I cannot access their domain resources unless I use FQDN. In the logs, I see the config being sent and it does include the DNS suffix so I'm not sure why it won't be appended?
Thanks.
12-10-2020 05:17 AM
are you applying this suffix in the gateway global config or in the client configuration settings.
It only seems to work for us if we add it to the global gateway setting for network services, we just seperate with a comma.
12-10-2020 05:34 AM
Also,,,]
not sure where you are seeing the info sent but the GP logs are showing this...
when i add fred.com to gateway settings..
</dns>
<wins>
</wins>
<dns-suffix>
<member>fred.com</member>
</dns-suffix>
when i add fred.com to client settings
</dns>
<wins>
</wins>
<dns-suffix>
</dns-suffix>
seems to be not working and dns reverts to local suffix prior to VPN connection.
12-10-2020 05:40 AM
Hi,
I have added the DNS suffix under Gateway-->Agent-->Network Services. And I see the same thing in the log that you posted, the DNS suffix shows as being processed, but when that DNS suffix does not show up ipconfig or in the adapter settings for GlobalProtect and when I try and contact by hostname only FQDN works. So it's as though the config for DNS suffix is processed but never actually applied as far as I can see.
12-10-2020 05:48 AM
I also see no suffix in the ipconfig setting but wireshark port 53 showed that the suffix was added for DNS,
12-10-2020 06:04 AM
When I do a ping hostname and look in wireshark, I see the DNS request to the proper DNS server but it uses the DNS suffix from the local machine (there are actually two and it tries both), not the DNS that should be applied via GlobalProtect.
12-10-2020 06:22 AM
Hmmm... yes thats correct... but would that matter.... i suppose the only issue would be if you had servers with the same name on different domains... apart from that, as long as it resolves would it really matter? works ok for me.... perhaps you are having other issues with this.
12-10-2020 06:30 AM
this id comment from PAN.
"This is expected behavior as the DNS suffix is just a linear list of suffixes to search, and is not adapter dependent."
so it's not supposed to reconfigure the adapter, just add a search suffix.
12-10-2020 06:33 AM
I had read that as well... but unfortunately, it doesn't seem to be adding the suffix.
It's not resolving properly. So, my laptop is in domain A and receives DNS suffix for domain A and domain B. GlobalProtect has a DNS suffix for domain C. So when I connect to the GP gateway, I want to be able to resolve hostnames for domain C without FQDN but when I ping hostname, Wireshark shows DNS is trying hostname.domain A and hostname.domain B (which fails because the hostname is only in domain C) and then returns that the host can't be found.
12-10-2020 07:03 AM
Oh i see.... so where exactly are you getting domain B suffix from, is that set on the adapter...
12-10-2020 08:16 AM
DomainA and DomainB DNS suffix are received via GPO.
12-10-2020 08:21 AM - edited 12-10-2020 08:22 AM
I have a few local domains on my NIC and have added these additional ones to GP Gateway...
on GP connection my ipconfig /all shows
and when i ping elzzzbelzzzz i see this in wireshark
so it does work and i have no idea why it wouldn't work for you....
I am using PAN 9.1.6 and GP 5.2
12-10-2020 08:23 AM - edited 12-10-2020 08:25 AM
perhaps GPO takes precedence here..... our suffix is part of the image...
12-10-2020 08:32 AM
you could try this...
> Run gpedit.msc
> Browse Local Computer Policy
> Computer Configuration
> Administrative Templates -> Network -> DNS Client
Enable "Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries"
12-10-2020 10:51 AM
Based on what you're showing, it would seem that GPO would indeed take a precedence; which makes the DNS suffix option not useful. Although, I'm unable to find it anywhere in their documentation that confirms or denies that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
