I had a bit of a strange behavior regarding DNS for mobile users, and wanted to verify if this was working as intended.
IP addresses are made up
Info on the infrastructure:
- Panorama Managed Prisma Access.
- Mobile Users - GlobalProtect.
- Using both On-Premises and Prisma Access gateways (Manual).
- DNS for internal domains configured in "Network Services" ( 10.1.1.1 & 10.2.2.2) through the Prisma Access cloud services plugin, with public domains using the cloud defaults.
- On-Premises gateways assigning 10.1.1.1 & 10.2.2.2 as DNS servers.
- GlobalProtect clients connected directly through on-prem external gateways, was able to do internal DNS lookups, and ping internal FQDNs.
- GlobalProtect clients connected through Prisma Access country specific location gateways, received DNS configuration of .1 in their assigned scope. - GlobalProtect clients connected through Prisma Access country specific location gateways, was able to do DNS lookups (not directly to DNS servers 10.1.1.1 & 10.2.2.2), but not able to ping internal FQDNs. Though able to ping the IP address received from the DNS lookups.
- After configuring DNS servers 10.1.1.1 & 10.2.2.2 with suffix under (Template Mobile_User_Template) Network -> Gateways -> GlobalProtect_External_Gateway -> Agent -> Client Settings -> DEFAULT -> Network Services, the clients connecting through Prisma Access country specific location gateways, received the correct DNS configuration and was able to do internal DNS lookups, and ping internal FQDNs.
Following Palo Alto's own documentation (https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-users/globalprotect-prisma-access/configure-prisma-access-for-users#id174HA00B0Y4), there in no mentioning of this, and only configuring through the Prisma Access plugin should suffice.
Hope I can get some clarification on this.
... View more