https://live.paloaltonetworks.com/t5/next-generation-firewall/quot-let-s-encrypt-quot-and-geoblocking-issues/m-p/592685#M3462 <P>There is not really a solution until LE decides to publish their validation endpoints, one common solution for this is to open the rule to the world only when a renew is needed and close it inmediatly.</P> <P>Some have automated this process via API or simmilar but this depends entirely on your infrastructure.</P> Mon, 22 Jul 2024 22:28:31 GMT jmoscoso1 2024-07-22T22:28:31Z https://live.paloaltonetworks.com/t5/next-generation-firewall/quot-let-s-encrypt-quot-and-geoblocking-issues/m-p/592568#M3455 <P>Hi, we have a couple 3rd-party applications that use Let's Encrypt for certificate automation. We also use geoblocking rules on our Palo Alto firewall because we are local government, so we block non-US based traffic. I recently learned that Let's Encrypt requires global access due to its nature of validation, because our certificates are failing to renew if I have the US-traffic rule enabled.</P> <P>&nbsp;</P> <P>Has anyone found a way to whitelist Let's Encrypt traffic without opening it up to the entire planet?&nbsp;</P> <P>&nbsp;</P> <P>Thanks!</P> Fri, 19 Jul 2024 16:37:11 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/quot-let-s-encrypt-quot-and-geoblocking-issues/m-p/592568#M3455 Maxstr 2024-07-19T16:37:11Z https://live.paloaltonetworks.com/t5/next-generation-firewall/quot-let-s-encrypt-quot-and-geoblocking-issues/m-p/592656#M3459 <P>With the rise of CDNs and anycast, geolocation of a destination servers can be very problematic as a given IP may trace to one location from one source, and a completely different location from a different source. There is no "location" field associated with an IP address registration, so various third parties make a best-guess as to the physical endpoint from their viewpoint and resell that data to others as geolocation... so it will never be perfect to rely on.</P> <P>&nbsp;</P> <P>There are a few ways around the geolocation region coding, depending on what type of traffic you are filtering and how broadly you want to accept:</P> <P>1) Custom Region - As many of these destinations are actually CDNs, which may host components of many different major sites, you may want to explore creating a custom region for those associated netblocks. This will override the default PaloAlto geolocation. The advantage of this is that it quickly encompasses a large swath of IPs which are known to be a major commercial hosting point, even those may technically reside in a different country. The disadvantage is that this is non-specific and "bad" sites can use CDNs just like "good" sites. The malware/AV/URL filtering tools should be used for filtering content rather than a geolocation.</P> <P class="lia-indent-padding-left-30px">Objects-&gt;Regions</P> <P class="lia-indent-padding-left-60px">Name=CDN</P> <P class="lia-indent-padding-left-60px">IP=1.1.1.1, 8.8.4.4, 8.8.8.8, 101.53.160.0/18, 118.214.0.0/16, 118.215.0.0/17</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">Policies-&gt;Security</P> <P class="lia-indent-padding-left-60px">Name=Allow Internet</P> <P class="lia-indent-padding-left-60px">SrcZone=Trust</P> <P class="lia-indent-padding-left-60px">DstZone=Untrust</P> <P class="lia-indent-padding-left-60px">DstAddr=US, CDN</P> <P class="lia-indent-padding-left-60px">Action=Allow</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P>2) FQDN List - You can create a custom FQDN address object (or address group of objects) and use that as a destination, in addition to the geolocation. This has the advantage that you are targeting a specific destination address, regardless of the geolocation. The disadvantage is that this must be a specific, resolvable FQDN that you have discovered, wildcards will not work. (Note 1: You can also create an IP address/block list and use it in the same way/different variation of the custom region.)</P> <P class="lia-indent-padding-left-30px">Objects-&gt;Addresses</P> <P class="lia-indent-padding-left-60px">Name=ExampleSite1</P> <P class="lia-indent-padding-left-60px">Type=FQDN</P> <P class="lia-indent-padding-left-60px">Address=example.com</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px">Name=ExampleSite2</P> <P class="lia-indent-padding-left-60px">Type=FQDN</P> <P class="lia-indent-padding-left-60px">Address=<A href="http://www.example.com" target="_blank" rel="noopener">www.example.com</A></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px">Name=ExampleImageSite</P> <P class="lia-indent-padding-left-60px">Type=FQDN</P> <P class="lia-indent-padding-left-60px">Address=images.example.com</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-30px">Objects-&gt;Address Groups</P> <P class="lia-indent-padding-left-60px">Name=ExampleCorp</P> <P class="lia-indent-padding-left-60px">Address=ExampleSite1, ExampleSite2, ExampleImageSite</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-30px">Policies-&gt;Security</P> <P class="lia-indent-padding-left-60px">Name=Allow Internet</P> <P class="lia-indent-padding-left-60px">SrcZone=Trust</P> <P class="lia-indent-padding-left-60px">DstZone=Untrust</P> <P class="lia-indent-padding-left-60px">DstAddr=US, ExampleCorp</P> <P class="lia-indent-padding-left-60px">Action=Allow</P> <P>&nbsp;</P> <P>3) URL List - You can create a URL list to filter based on the requested content server name instead of the actual IP address. The advantage of this is that you can use wildcards for a range of FQDNs/subdomains. The disadvantage is that this only works for HTTP(S) type applications and the connection must first establish before the requested server name can be determined. (Note1: This is more suited towards allow/deny of specific sites for specific users, in combination with URL filtering, but can also be used for wider allows/denies. Note2: This is best combined with decryption, but will generally work without.)</P> <P class="lia-indent-padding-left-30px">Objects-&gt;Custom Objects-&gt;URL Category</P> <P class="lia-indent-padding-left-60px">Name=ExampleURL</P> <P class="lia-indent-padding-left-60px">URL List=example.com/, *.example.com/</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-30px">Policies-&gt;Security</P> <P class="lia-indent-padding-left-60px">Name=Allow Internet</P> <P class="lia-indent-padding-left-60px">SrcZone=Trust</P> <P class="lia-indent-padding-left-60px">DstZone=Untrust</P> <P class="lia-indent-padding-left-60px">DstAddr=US</P> <P class="lia-indent-padding-left-60px">Action=Allow</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px">Name=Allow Internet - specific sites</P> <P class="lia-indent-padding-left-60px">SrcZone=Trust</P> <P class="lia-indent-padding-left-60px">DstZone=Untrust</P> <P class="lia-indent-padding-left-60px">Application=web-browsing, SSL</P> <P class="lia-indent-padding-left-60px">URL Category=ExampleURL</P> <P class="lia-indent-padding-left-60px">Action=Allow</P> Mon, 22 Jul 2024 17:32:14 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/quot-let-s-encrypt-quot-and-geoblocking-issues/m-p/592656#M3459 Adrian_Jensen 2024-07-22T17:32:14Z https://live.paloaltonetworks.com/t5/next-generation-firewall/quot-let-s-encrypt-quot-and-geoblocking-issues/m-p/592685#M3462 <P>There is not really a solution until LE decides to publish their validation endpoints, one common solution for this is to open the rule to the world only when a renew is needed and close it inmediatly.</P> <P>Some have automated this process via API or simmilar but this depends entirely on your infrastructure.</P> Mon, 22 Jul 2024 22:28:31 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/quot-let-s-encrypt-quot-and-geoblocking-issues/m-p/592685#M3462 jmoscoso1 2024-07-22T22:28:31Z