topic Finding FQDNs for blocked IP's or SSL-Inspection in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/finding-fqdns-for-blocked-ip-s-or-ssl-inspection/m-p/1002711#M5364 <P>Once a week, someone reports having issues accessing a site.&nbsp; Today that issue involves a credit card processing page that is aging-out because there is no SSL inspection exception.&nbsp; FW Logs of course show an IP address (no URL/FQDN), and the rule to allow access or exclude from ssl inspection requires using an FQDN.</P> <P>&nbsp;</P> <P>The page URL in address bar has been allowed and browser/dev tools/console/sources does not indicate any other place where the browser is trying to go.&nbsp; I also look at OpenDNS reports to see what DNS queries the user made around the same time.&nbsp; There can be 100 sites within a few seconds, so I end up doing an NSLOOKUP on each of the FQDNs in the OpenDNS report to see if the IP matches the blocked traffic in the FW.&nbsp; Once I match the FQDN to the IP, I know that is the FQDN that needs to be unblocked in the FW.</P> <P>&nbsp;</P> <P>This is a very tedious process, and after spending an hour on this today, I am not able to find the right FQDN to match the IP's that are being blocked.</P> <P>&nbsp;</P> <P>Does anyone have a tool or better way to locate FQDNs for blocked IP's?&nbsp; If life were easy, OpenDNS (OR PALO) would record both the FQDN and the translated IP when DNS is queried&nbsp; so I would not have to search for it, but alas, that doesn't seem to be a thing for any vendor, so I keep having to do these treasure hunts on a regular basis.</P> <P>&nbsp;</P> <P>Any suggestions/tricks/tips would be greatly appreciated.</P> Fri, 10 Jan 2025 15:36:25 GMT ppeeters 2025-01-10T15:36:25Z Finding FQDNs for blocked IP's or SSL-Inspection https://live.paloaltonetworks.com/t5/next-generation-firewall/finding-fqdns-for-blocked-ip-s-or-ssl-inspection/m-p/1002711#M5364 <P>Once a week, someone reports having issues accessing a site.&nbsp; Today that issue involves a credit card processing page that is aging-out because there is no SSL inspection exception.&nbsp; FW Logs of course show an IP address (no URL/FQDN), and the rule to allow access or exclude from ssl inspection requires using an FQDN.</P> <P>&nbsp;</P> <P>The page URL in address bar has been allowed and browser/dev tools/console/sources does not indicate any other place where the browser is trying to go.&nbsp; I also look at OpenDNS reports to see what DNS queries the user made around the same time.&nbsp; There can be 100 sites within a few seconds, so I end up doing an NSLOOKUP on each of the FQDNs in the OpenDNS report to see if the IP matches the blocked traffic in the FW.&nbsp; Once I match the FQDN to the IP, I know that is the FQDN that needs to be unblocked in the FW.</P> <P>&nbsp;</P> <P>This is a very tedious process, and after spending an hour on this today, I am not able to find the right FQDN to match the IP's that are being blocked.</P> <P>&nbsp;</P> <P>Does anyone have a tool or better way to locate FQDNs for blocked IP's?&nbsp; If life were easy, OpenDNS (OR PALO) would record both the FQDN and the translated IP when DNS is queried&nbsp; so I would not have to search for it, but alas, that doesn't seem to be a thing for any vendor, so I keep having to do these treasure hunts on a regular basis.</P> <P>&nbsp;</P> <P>Any suggestions/tricks/tips would be greatly appreciated.</P> Fri, 10 Jan 2025 15:36:25 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/finding-fqdns-for-blocked-ip-s-or-ssl-inspection/m-p/1002711#M5364 ppeeters 2025-01-10T15:36:25Z Re: Finding FQDNs for blocked IP's or SSL-Inspection https://live.paloaltonetworks.com/t5/next-generation-firewall/finding-fqdns-for-blocked-ip-s-or-ssl-inspection/m-p/1066318#M5378 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/13369">@ppeeters</a>&nbsp;,</P> <P>&nbsp;</P> <P>DNS Security may help, if your FQDN is somehow a possible risk domain.</P> <P>Maybe you can enable the logging (once your firewall is fixed for CVE-20243393) and monitor the threat logs for input.</P> <P>&nbsp;</P> <P>Otherwise, you can let a capture running on DNS traffic from a computer and check directly in the capture when needed.</P> <P>&nbsp;</P> <P>Similar to that, you can set up a DNS proxy on the firewall, so you can check on the DNS proxy cache on the firewall.</P> <P>&nbsp;</P> <P>Olivier</P> Tue, 14 Jan 2025 02:31:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/finding-fqdns-for-blocked-ip-s-or-ssl-inspection/m-p/1066318#M5378 ozheng 2025-01-14T02:31:46Z