It would have saved me a lot of frustration and phone calls to support.This script parses the DNS log file and does a reverse lookup to see the DNS hostname of the device that did a DNS query The ScenarioĪs part of an 2003 AD migration, the requirements were to replace the 2003 DCs in an existing subnet with new DCs in a new subnet. If anyone from PA reads this forum please publish a complete guide on how to completely configure this feature. The remaining 2/3s of the information needed to configure this required a support ticket to Palo Alto in order to get he full picture. About 1/3 of information is spread out across multiple documents which can be hard to track down. Palo Alto has thus far done a poor job on the documentation to implement split DNS. Ensure in the "App config" in the portal that "Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only)" option is set to "no".Some of our user's had IPv6 enabled on their internal home network and Global Protect began sending DNS queries for internal corporate records over IPv6 on the local NIC instead of over the VPN tunnel to the corporate DNS servers Global Protect will prefer IPv6 for DNS lookups. If you're not using IPv6, disable it on the end user's computer.This will ensure all public Internet traffic and DNS lookups will go out the local NIC on the user's computer. Next, leave the exclude columns empty for both Access route and "Include Domain". If you want to exclude all traffic from the VPN tunnel with the exception of your internal IP ranges and internal DNS records, include those items in your "included" items for both the Access Route and "Include Domain".The bug was sending causes the Global Protect client to send DNS queries out all local adapters including the VPN tunnel adapter on the user's computer. There is a bug in Global Protect 5.2.2.I had to speak to our rep who then sent me a document. No error is given when you configure it without a license and I could find no documentation about this license via google, or internal PA support documents. Without it, all DNS entries are forward to whatever DNS servers you configure on the gateway. while licensing is not required for the basic features of Global Protect to work, split DNS requires the Global Protect Gateway license. For anyone stuck in the same situation I was, hopefully the information below will help. However there was more than fix that was involved. The issue was finally resolved in December and Split DNS is working as it should.
0 kommentar(er)
