topic Re: issues using aka.ms in a firewall rule in General Topics

issues using aka.ms in a firewall rule

JimMcGrady — Wed, 20 Jul 2022 08:19:28 GMT

Microsoft makes extensive use of the name aka.ms to map to thousands of IPs in its Akamai content delivery network.

I find that i have issues trying to use FQDN host object aka.ms in a firewall rule. Many times traffic doesnt hit the rule.

I suspect its because Palo's periodic update of its IP table for aka.ms misses some of the addresses in use.

Has anyone else experienced this? I'm running PA 9.1.13

Re: issues using aka.ms in a firewall rule

JayGolf — Thu, 21 Jul 2022 18:46:44 GMT

Hi @JimMcGrady ,

What do you have set for your minimum FQDN refresh time? You can try setting it to 0. refresh The FQDN refresh will be based on the TTL set in DNS.

Re: issues using aka.ms in a firewall rule

BPry — Thu, 21 Jul 2022 22:13:15 GMT

@JimMcGrady,

The issue that you'll run into, even if setup as @JayGolf mentioned, is that CDNs like Akami don't have the TTL set to expire as often as they rotate clients to different hosts. This is slightly better if you have the firewall and all connected clients using the same DNS servers, but you can still have the firewall and the client get out of sync even then.

With Microsoft in particular I highly recommend using URL Filtering to limit this traffic instead of trying to utilize FQDN objects if you can. There's imperfect lists of associated Windows update IPs that you can tie with URL Filtering in more secure environments, but FQDNs never work properly for this.