Palo Alto Networks Knowledgebase: How to Configure DNS Proxy for GlobalProtect Clients

How to Configure DNS Proxy for GlobalProtect Clients

Created On 02/07/19 23:49 PM - Last Updated 02/07/19 23:49 PM
Mobile Network Infrastructure

This article shows how to configure DNS proxy for GlobalProtect clients.


For information on how to configure GlobalProtect on the firewall, please click here.

For the video link, please click here.




DNS proxy is a role in which the firewall is an intermediary between DNS clients and servers; it acts as a DNS server itself by resolving queries from its DNS proxy cache. If the domain name is not found in the DNS proxy cache, the firewall searches for a match to the domain name among the entries in the specific DNS proxy object (on the interface on which the DNS query arrived), and forwards the query to a DNS server based on the match results. If no match is found, the default DNS servers are used. 



1. Identify what is the tunnel interface referred to in the GlobalProtect Gateway configuration. Network > Global Protect > Gateways:


Screen Shot 2016-11-07 at 1.56.51 PM.png




2. Navigate to Network > Interfaces > Tunnel and add the IP address to the tunnel interface identified from the preceding step:


Screen Shot 2016-11-07 at 1.58.46 PM.png


Note: This IP address could be any random IP address. Also, make sure there is a proper routing and security rule in place to allow communication between this IP address and the DNS server.



3. Navigate to Network > Global Protect > Gateways. Configure this IP address as the Primary DNS server IP for Global Protect Clients:


Screen Shot 2016-11-07 at 2.03.51 PM.png7.0.xScreen Shot 2016-11-07 at 2.38.38 PM.png7.1.x




















4. Navigate to Network > Global Protect > Gateways. Configure this IP address in the access route table so that global protect clients gets the route for this IP through tunnel:


Screen Shot 2016-11-07 at 2.07.29 PM.png7.0.x


Screen Shot 2016-11-07 at 2.43.26 PM.png7.1.x



















5. Navigate to Network > DNS Proxy. Configure the tunnel interface to act as DNS proxy. Configure primary and secondary DNS servers to be used. DNS proxy rules can be configured to send a DNS query to the internal DNS server for internal domains. If the domain is not matched, default DNS servers would be used. (There is no change in location in the 7.1 version.)


Screen Shot 2016-11-07 at 2.11.54 PM.png7.0.x


Note: If a DNS query comes to the firewall tunnel interface for, let's say,, the firewall will send the DNS request to However, if a DNS request comes for, let's say,, since the domain name does not match the name in proxy rule, the firewall sends the DNS request to default servers or


Similarly, static entries can be created on the firewall so that DNS requests for that FQDN responds with a configured static IP address:


Screen Shot 2016-11-07 at 2.16.16 PM.png7.0.x

6- Configure security policy and NAT rules as required for communication with internal or external DNS servers. Source IP of DNS requests would be the tunnel interface IP address:


Tunnel interface is Trust-Wifi zone, Internal DNS server in Trust zone and External DNS server in Untrust zone.


Screen Shot 2016-11-07 at 2.31.42 PM.png 

Screen Shot 2016-11-07 at 2.23.49 PM.png






Screen Shot 2016-11-07 at 2.30.33 PM.png


  • resolved to ,which is the static entry configured in DNS proxy
  • resolved to internal IP address using internal DNS server since the domain name matched
  • resolved to its IP address using external primary DNS server since the domain name did not match
  • Following are the sessions created for internal and external DNS queries:


Screen Shot 2016-11-07 at 2.34.57 PM.png



Note: To enable DNS Proxy in a multi-vsys environment, please read instructions for PAN-OS 7.0 here:

Configure Virtual Systems



  • Print
  • Copy Link

Choose Language