topic Re: Wildcards in address objects in General Topics

Wildcards in address objects

blwallace — Thu, 19 Apr 2012 21:04:19 GMT

Instead of creating several address objects for the many MS update servers available, and then creating a group to plug into a security policy that allows my WSUS server to get updates, is there a way to use wildcards in the address objects? MS updates lists multiple locations available for updates:

This list could be condensed down to perhaps four address objects:

*.windowsupdate.microsoft.com
*.update.microsoft.com
*.download.windowsupdate.com
*.windowsupdate.com

which could be put into a address group and use the group in the security policy destination. Then I only have to move objects into and out of the group as MS changes and I don't have to worry about changing a rule. If they add or remove servers within the wildcard domains, then I don't need to make any changes.

Thanks,

Bart

Re: Wildcards in address objects

ppatel — Thu, 19 Apr 2012 22:19:58 GMT

Hi Bart,

I assume following is what you are trying to do:-

When you log into the WEB UI:-

Objects----> Addresses --->Click Add

You would like to add the FQDN as a wildcard address.

Name:- testobject

Type: FQDN *.windowsupdate.microsoft.com

SEE ATTACHMENT :- wildcard.PNG

The above FQDN syntax is not valid and cannot be used.

If this is what you are trying to do, Wildcards in address objects cannot be used (at this time).

You would have to create multiple addresses and encapsulate them in a group and bind it to the policy.

Regards,

Parth

Re: Wildcards in address objects

blwallace — Thu, 19 Apr 2012 22:30:31 GMT

Yes, I had tried that already and discovered I couldn't do it. I'm wondering if there is any other way to accomplish this.

Re: Wildcards in address objects

ppatel — Thu, 19 Apr 2012 23:16:36 GMT

Hi Bart,

You can use those wildcards in the URL filtering profile and can have in the Explicit allow/block list.The URL filtering Profile can then be applied to the policy.

Go to OBJECTS-->URL Filtering Profile
List teh following URLS in the Allow list:-
*.windowsupdate.microsoft.com

*.update.microsoft.com

*.download.windowsupdate.com

*.windowsupdate.com

Please see the attcment :- url-filtering.PNG

This way you can use the Wildcards BUT to only ALLOW AND DENY.
Let me know if that helps.

Regards,Parth

Re: Wildcards in address objects

blwallace — Thu, 19 Apr 2012 23:27:44 GMT

Thanks,

I had looked at that before writing the post and was wondering if that wouldn't work. I'll give it a try.

Re: Wildcards in address objects

mikand — Fri, 20 Apr 2012 07:40:17 GMT

A custom url-filtering along with only allow appid:ms-update (and set service:default-application) should do it.

A sidenote is that SSL decryption doesnt work for ms update traffic (since they use their own built in certs and doesnt allow any other, at least if you use WSUS or such) so Im not sure how widely open the above rule might be in reality.

Im not sure how you can in a good way limit it down further. Perhaps adding dstip:65.55.27.0/24 but these ip's I guess might differ from time to time along with being different depending on when and from where you query the DNS.

Edit: Seems it was true regarding various ip's for windowsupdate... so make that dstip:65.55.0.0/16 :smileysilly:

Re: Wildcards in address objects

MichaelBurgener — Tue, 23 Apr 2013 23:00:35 GMT

I used a Custom URL Category along with ms-update application filtering but it was not enough to just list the wildcard versions of the FQDN's, I also had to list the FQDN without the *.

ie. This is what worked for me with PANOS 4.1.10

windowsupdate.microsoft.com

*.windowsupdate.microsoft.com

update.microsoft.com

*.update.microsoft.com

download.windowsupdate.com

*.download.windowsupdate.com

windowsupdate.com

*.windowsupdate.com

Re: Wildcards in address objects

ksuuk — Fri, 03 May 2013 15:29:24 GMT

Yes, this works, but only for HTTP. How to make this work for FTP?

Re: Wildcards in address objects

mikand — Sat, 04 May 2013 22:06:39 GMT

If you want to limit which FTP sites should be possible to visit you need to use FQDN or setup a dynamic address object which you then "feed" by a script running on some server (to inform the PA device which ip addresses this current adress object/group should point at).