07-23-2022 05:42 AM
Hi
I have a requirement to register a connection-specific DNS Suffix through Prisma Access for the remote users, this is to facilitate some communication initiated by CyberArk, I understand that this through option 015 in DHCP and can do this easily when using my firewall as a DHCP, but is there any way of doing this in Prisma Access that anybody knows of?
Also is there any mechanism by which we can then register the FQDN of the connected host with DNS (not on the firewall) to allow resolution by CyberArk.
Apologies in advance if these are stupid questions and thank you for taking the time to look.
08-08-2022 03:49 AM - edited 08-15-2022 04:41 AM
Prisma Access can't control your DHCP as you connect to the Prisma Access with a VPN Globalprotect or Explicit Proxy mode so you will have to contact your DHCP server before that so you need on prem palo alto firewall or the Palo Alto ION SD-WAN device as a DHCP server or DHCP relay or another on-prem device (DCHP server/router).
You can try using the DNS server and maybe the forward zones BIND (Prisma Access DNS option is similar to the forward zones in DNS BIND so maybe it will be enough for what you are trying to do) or other DNS servers feature and you may use Prisma Access to overwrite the the default the DNS server:
08-08-2022 03:49 AM - edited 08-15-2022 04:41 AM
Prisma Access can't control your DHCP as you connect to the Prisma Access with a VPN Globalprotect or Explicit Proxy mode so you will have to contact your DHCP server before that so you need on prem palo alto firewall or the Palo Alto ION SD-WAN device as a DHCP server or DHCP relay or another on-prem device (DCHP server/router).
You can try using the DNS server and maybe the forward zones BIND (Prisma Access DNS option is similar to the forward zones in DNS BIND so maybe it will be enough for what you are trying to do) or other DNS servers feature and you may use Prisma Access to overwrite the the default the DNS server:
08-16-2022 12:01 AM
Hi,
I understand that when using explicit proxy you would have to contact your DHCP server initially as with any proxy, however I thought that when using GP it was DHCP that gave the addresses out from the Gateway but it isn't done using DHCP as the protocol so that was not possible.
I did look at the registering of DNS but was cut short as the team that wanted the feature moved on to another method.
I will look at the documentation again as you suggest to see how this could be achieved.
Thank you for you reply.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
