topic FQDN security in policy in General Topics https://live.paloaltonetworks.com/t5/general-topics/fqdn-security-in-policy/m-p/476570#M103592 <P>Hi All, I am quite new to palo alto. can anyone explain me what happened if we configured object as a FQDN, IP and URL..I have created one security policy where I have implemented destination as a FQDN (nslookup results into 1 IP address) but user is reporting that it's not working..For that, FQDN default TTL is 5 mins, refresh time is 6 hours..<BR />and How can we defined whether need to configured address as FQDN or URL, how TTL value play the role in that ???</P><P>&nbsp;</P> Tue, 29 Mar 2022 09:00:13 GMT PujaMandavgade 2022-03-29T09:00:13Z FQDN security in policy https://live.paloaltonetworks.com/t5/general-topics/fqdn-security-in-policy/m-p/476570#M103592 <P>Hi All, I am quite new to palo alto. can anyone explain me what happened if we configured object as a FQDN, IP and URL..I have created one security policy where I have implemented destination as a FQDN (nslookup results into 1 IP address) but user is reporting that it's not working..For that, FQDN default TTL is 5 mins, refresh time is 6 hours..<BR />and How can we defined whether need to configured address as FQDN or URL, how TTL value play the role in that ???</P><P>&nbsp;</P> Tue, 29 Mar 2022 09:00:13 GMT https://live.paloaltonetworks.com/t5/general-topics/fqdn-security-in-policy/m-p/476570#M103592 PujaMandavgade 2022-03-29T09:00:13Z Re: FQDN security in policy https://live.paloaltonetworks.com/t5/general-topics/fqdn-security-in-policy/m-p/476645#M103602 <P>How have you implemented the firewall rules? And have you searched the traffic logs to see if the user is getting blocked/filtered through a different firewall rule than expected?</P><P>&nbsp;</P><P>FQDNs and IPs are essentially the same and match on the source or destination IP address in the Security Policy, with the exception that FQDN objects will automatically update if the IP address changes. However, it is important to remember that you client may not have the same root DNS source and therefore might not be going to the same IP for a given FQDN and the PaloAlto resolves. Also, some sites use fast-flux DNS, where the IP is constantly changing and only some IPs are returned at any given time from a large set of possible IPs, so it is basically impossible to keep the PA and client DNS responses consistent.</P><P>&nbsp;</P><P>A URL object matches in HTTP/HTTPS/etc. protocol traffic, but is never resolved to an IP. A security policy with a URL object is looking at the HTTP headers to extract the target URL (which may exist across multiple IPs or multiple unrelated URLs may reside on the same server IP). If you are using URL objects be sure to terminate them correctly as the wildcard matching may not always work as expected.</P><P>&nbsp;</P><P>A simple URL object Security Policy can also be tricky to implement because many websites may appear to be at a simple URL, but the page actually includes lots of resources from many other URLs and domains. You may also need to be running SSL decryption to get full use out of URL objects (to be able to see all the URLs in the session).</P> Tue, 29 Mar 2022 16:41:18 GMT https://live.paloaltonetworks.com/t5/general-topics/fqdn-security-in-policy/m-p/476645#M103602 Adrian_Jensen 2022-03-29T16:41:18Z