With PAN-OS 9.0 (quite some time ago), Palo Alto Networks has added Dynamic DNS for a firewall’s interfaces. That is: If your Internet-facing WAN interface gets a dynamic IP address via DHCP or PPPoE (rather than statically configured), the firewall updates this IP address to a configured hostname. The well-known DynDNS providers such as Dyn (formerly DynDNS), No-IP, or FreeDNS Afraid are supported. Since the Palo supports DHCP, PPPoE (even on tagged subinterfaces) as well as DHCPv6 respectively PPPoEv6, we can now operate this type of firewall on residential ISP connections AND still access it via DNS hostnames. Great. Let’s have a look at the configuration steps.
Spoiler: The DynDNS feature on a Palo only supports static IPv6 addresses rather than dynamic ones. 🤦🤦🤦 Yes, you haven’t misread. The DYNAMIC DNS feature does not support DYNAMIC IP addresses, but only STATIC ones. D’oh!
Pre-Notes & Use Cases
- Don’t confuse this type of “DynDNS”, where a client updates an IP address through an API/HTTPS to a DNS provider who hosts public reachable DNS servers, with “Dynamic DNS“, where an internal client (Windows PC, DHCP-client) updates its IP address onto the internal authoritative DNS server through a standard UDP 53 DNS packet. Unfortunately, there is no strict naming convention and even the acronym “DDNS” is used in both scenarios. 🤦
- The main use case for DDNS on a Palo is GlobalProtect, that is: tunnelling home. ;) While outgoing site-to-site VPNs (to counterparts with static IPs) were working all the time, you can now build a remote access VPN back to your small office/home office.
- As IPv4 addresses run short, we are facing many residential ISPs that only offer native IPv6 while tunnelled/CGNATted IPv4. That is: No public IPv4 address on the WAN interface anymore – hence no options for incoming IPv4 connections. :(
- Consequentially, IPv6 is a must. No big deal, since many remote workers have IPv6 on their mobile phones/tethering/ISPs anyway.
- Unfortunately, residential ISPs tend to use “dynamic IPv6 addresses” on the WAN interface rather than static ones. (Along with dynamic IPv6 prefixes for the internal networks, which is even worse!)
- In fact, my customer asked me to set up GlobalProtect on a residential ISP connection with dynamic IPv6 only. No IPv4 at all.
- The other use case of a DDNS service is for IPv4 only: port forwardings aka DNATs to internal servers.
Basic Usage
I’m using a PA-440 with PAN-OS 11.2.0. The official docs about PANW’s DDNS are here. Prerequisites: 1) a DynDNS account by any of the supported vendors. I’m using No-IP these days. And 2) the root certificate of the CA that signed the vendor’s update URL. In my case, it is “dynupdate.no-ip.com” respectively the “DigiCert Global Root G2”. Import this certificate (✅ Trusted Root CA) and add a certificate profile referencing this root:
The interesting steps are under your WAN interface, ethernet1/1 in my case, Advanced -> DDNS. Enabling the settings and the service itself, selecting the vendor and your hostname along with the login credentials, as well as the just created certificate profile. If your WAN interface gets its IPv4 address via DHCP, you can select this type of address there:
After a commit, you can “Show Runtime Info” or simply dig your hostname:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
C:\Users\Johannes Weber>dig palo.ddns.me ; <<>> DiG 9.17.15 <<>> palo.ddns.me ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30149 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;palo.ddns.me. IN A ;; ANSWER SECTION: palo.ddns.me. 51 IN A 100.93.7.250 ;; Query time: 4 msec ;; SERVER: 192.168.7.53#53(192.168.7.53) (UDP) ;; WHEN: Tue Jun 25 21:59:27 Mitteleurop�ische Sommerzeit 2024 ;; MSG SIZE rcvd: 57 |
(The attentive reader has already recognised it: This “public” IPv4 is not a public one, but out of the 100.64.0.0/10 space which is used for CGNAT. There is no single reason why I should update this CGNAT address at all since I can’t reach it from the public Internet anyway. That’s why I have to rely on IPv6.)
The system log shows entries of type “ddns”:
Yep, works like a charm – at least for legacy IP. 😂
IPv6: DynDNS only for static IPs 🤦
PAN-OS 11.0 brought us DHCPv6 (even with prefix delegation), while PAN-OS 11.1 brought us PPPoE client for IPv6. (Thanks for that!) However, PANW somehow forgot to add those dynamic IPv6 address variants backwards to the Dynamic DNS feature. Sad, but true.
And yes, my interface gets a public IPv6 address via DHCPv6. It’s not my lab that’s not working here, but a missing feature.
Why does a software engineer add an “IPv6” section to a *DYNAMIC* DNS feature, but only allows the selection of *STATIC* addresses? That doesn’t make sense at all. If your interface IPs are static, you can add them statically in your DNS anyway. The demand for a DynDNS feature is for *dynamic* addresses, not for static ones. Hence the name.
Ok, reading the docs (RTFM) reveals that missing feature as well:
Of course, I immediately opened a support ticket and got to a staff member who at least understood my problem. ;) I ended up with a feature request, FR ID: 27563. Does anyone want to bet with me when it will be implemented? 😂
Please note that I’m not talking about a dynamic prefix *behind* the firewall (where you would use something like a “dynamic prefix updater“), but only about the WAN interface IP address.
Conclusion
It’s too bad that even PANW still lacks a fully supported IPv6 firewall. We need IPv6-only capable devices to advance IPv6 adoption, not “IPv6-ready” devices.
In the end, I could not fulfil the customer’s requirement, which was a GlobalProtect connection to a dynamic IPv6 address. :( That hurts.
Soli Deo Gloria!
Photo by Ross Findon on Unsplash.
2029 😁
USGv6 Profile Supplier’s Declaration of Conformity (SDoC) R1.1, as a method to validate and trust the Palo Alto Networks software. Here is the link, showing most of the testing of the product was not third party, but it was self tested. https://www.iol.unh.edu/registry/usgv6/823/sdoc