https://live.paloaltonetworks.com/t5/general-topics/security-policy-with-sources-on-a-cdn-or-domains-with-wildcard/m-p/568475#M114732 <P>Hello to all,</P> <P>I would like to know how smart PAN admins would solve this problem:</P> <P>suppose you have to allow inbound traffic from a source address that is:</P> <P>- defined as a FQDN but you know from DNS that it is delivered via a CDN like cloudflare, akamai, etc</P> <P>or</P> <P>- defined as a domain with a wildcard, for example *.letsencrypt.org</P> <P>&nbsp;</P> <P>I know that:</P> <P>- I can't use FQDN address object, cause I can't use wildcards, but also cause CDN do use a fast rotate DNS mechanism (with often lots of addresses), and the firewall cache can't copy well that (if I am not wrong a FQDN address can have up to 10 IP addresses associated in the cache)</P> <P>- I can't use a CUSTOM URL category object, cause URL categories are only supported for web protocols like HTTP, but most of all cause URL category objects can be used only as a destination filter, not a source filter</P> <P>- Sadly I can't use minemeld anymore</P> <P>&nbsp;</P> <P>So.. what workaround would you use, given that this must be a quite common problem?</P> <P>&nbsp;</P> <P>Thanks in advance</P> <P>TonyP</P> Tue, 05 Dec 2023 17:40:12 GMT TonyP 2023-12-05T17:40:12Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-with-sources-on-a-cdn-or-domains-with-wildcard/m-p/568475#M114732 <P>Hello to all,</P> <P>I would like to know how smart PAN admins would solve this problem:</P> <P>suppose you have to allow inbound traffic from a source address that is:</P> <P>- defined as a FQDN but you know from DNS that it is delivered via a CDN like cloudflare, akamai, etc</P> <P>or</P> <P>- defined as a domain with a wildcard, for example *.letsencrypt.org</P> <P>&nbsp;</P> <P>I know that:</P> <P>- I can't use FQDN address object, cause I can't use wildcards, but also cause CDN do use a fast rotate DNS mechanism (with often lots of addresses), and the firewall cache can't copy well that (if I am not wrong a FQDN address can have up to 10 IP addresses associated in the cache)</P> <P>- I can't use a CUSTOM URL category object, cause URL categories are only supported for web protocols like HTTP, but most of all cause URL category objects can be used only as a destination filter, not a source filter</P> <P>- Sadly I can't use minemeld anymore</P> <P>&nbsp;</P> <P>So.. what workaround would you use, given that this must be a quite common problem?</P> <P>&nbsp;</P> <P>Thanks in advance</P> <P>TonyP</P> Tue, 05 Dec 2023 17:40:12 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-with-sources-on-a-cdn-or-domains-with-wildcard/m-p/568475#M114732 TonyP 2023-12-05T17:40:12Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-with-sources-on-a-cdn-or-domains-with-wildcard/m-p/568663#M114744 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/67199">@TonyP</a> ,</P> <P>&nbsp;</P> <P>I believe you already mentioned all the proposed solutions by PAN:</P> <P><STRONG><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boQJCAY" target="_blank" rel="noopener">FAST-DNS Resolution Issues</A></STRONG></P> <P>&nbsp;</P> <P>I can't come up with another workaround at the moment ... maybe someone smarter here can <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>Other use cases might require a feature request.</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> <P>&nbsp;</P> Wed, 06 Dec 2023 10:38:47 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-with-sources-on-a-cdn-or-domains-with-wildcard/m-p/568663#M114744 kiwi 2023-12-06T10:38:47Z