04-12-2026 10:21 PM
Hi guys,
we have a 3rd party VPN peer who must set the Peer Identification value, the tunnel works fine, but on their side the tunnel ID IP address can change depending on whether they are on their active or standby firewall, and that means we need to update config and push policy to get it online (this is a regular occurrence)
I thought about using an fqdn entry, and updating the A record as needed as its a bit less touch than a firewall change. But I am wondering, can we have the fqdn point to an A record that resolves to 2 IP addresses? I know DNS side its fine but any idea if the palo will work, I somewhat suspect it will only take the first returned address and ignore the second but interested to know if anyone has tried it, Its a prod tunnel so I cant really test it myself
04-16-2026 04:15 AM
I am confused about the meaning of this topic. Could you explain the issue related to the real IP address of a third party? Consider this IP as a dynamic peer type and develop the configuration based on that, as mentioned in the provided link. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
