topic Re: Forcing/Redirecting IP addresses to use name in Next-Generation Firewall Discussions

Forcing/Redirecting IP addresses to use name

Deena — Wed, 03 Jan 2024 21:47:51 GMT

Hi All, happy new year.

Is there a way to block or forcing/redirect incoming traffic to an ip address. I would like to block outside attempts from trying to access the network using the ip address instead of the hostname/url.

Appreciate any suggestions and advice.

Cheers

Deena

Re: Forcing/Redirecting IP addresses to use name

BPry — Wed, 03 Jan 2024 22:05:51 GMT

@Deena,

Honestly the best way of accomplishing something like this would be to use a custom App-ID for things and only allow that app-id to your external resources. That way you can base the ID off of the http-req-host-header and ssl-req-client-hello and direct IP access would never match and be denied.

Alternatively if you're good at scripting you could build a custom report and pull it via the API for anything accessing your public IPs directly via URL logs assuming that you're logging that information. Then the script could block the addresses going directly to your IP addresses and not using FQDNs instead.

Just be mindful that some services are actually expected to be accessed via the IP address. HIP reports are a prime example of this on GlobalProtect, SMTP traffic as well if you have email on-prem. It's not inherently unexpected for everything to just utilize FQDN instead of the IP address itself, but certainly would be unexpected from web servers and the like.

Re: Forcing/Redirecting IP addresses to use name

Deena — Tue, 09 Jan 2024 22:21:03 GMT

Thanks for the suggestion. I'll will look into getting App-ID implemented. Does that require, the PA to decrypt the incoming traffic from the outside zone?

Re: Forcing/Redirecting IP addresses to use name

BPry — Tue, 09 Jan 2024 22:36:36 GMT

@Deena,

It's best if you decrypt traffic, but it isn't a requirement. If you're just building a simple app-id signature, doing a pattern-match on the ssl-req-client-hello and matching on the pattern of the hex of the field will work perfectly fine. So as an example if I was building a match for "example.com" the pattern for ssl-req-client-hello would look like what is listed below.

<entry name="SSL-Example-Site"> <default> <port> <member>tcp/80</member> <member>tcp/443</member> </port> </default> <signature> <entry name="Host Match"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>\x 6578616d706c652e636f6d \x</pattern> <context>ssl-req-client-hello</context> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <scope>protocol-data-unit</scope> <order-free>no</order-free> </entry> </signature> <subcategory>internet-utility</subcategory> <category>general-internet</category> <technology>browser-based</technology> <risk>1</risk> </entry>

Then you can also have a signature to match the http-req-host-header field for non SSL traffic as well, like below:

<entry name="Example-Site"> <default> <port> <member>tcp/443</member> <member>tcp/80</member> </port> </default> <signature> <entry name="Host Match"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>example\.com</pattern> <context>http-req-host-header</context> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <scope>protocol-data-unit</scope> <order-free>no</order-free> </entry> </signature> <subcategory>internet-utility</subcategory> <category>general-internet</category> <technology>browser-based</technology> <risk>1</risk> </entry>

You can use a site like THIS to get the hex easily. In the example below the only tool options that I leave enabled is the 'Add Zero to Short Values', both 'Separate Hex Values' and 'Add Hex Base Indicator' I personally leave off to avoid character limits and it will still work perfectly fine.
You could also collapse the signatures together within a single entry if you wanted instead of separating them out to "Example-Site" and "SSL-Example-Site" like I did. I personally like having both because it creates a delimitation, but that's absolutely not required.

Re: Forcing/Redirecting IP addresses to use name

nikoolayy1 — Wed, 10 Jan 2024 16:23:30 GMT

As @BPry mentioned you can use APP id and match allowed hostname. You can also do threat signature that matches on web or ssl traffic and when hostname or SNI is just present and use the Negate rule match to exclude for example " example\.com" as to not block the valid domain

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/create-a-custom-threat-signature

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-custom-objects/objects-custom-objects-data-patterns/syntax-for-regular-expression-data-patterns