https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45707#M33592 <HTML><HEAD></HEAD><BODY><P>Thank you <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12px; background-color: #f6f6f6;">Mariano</SPAN>.</P><P>Your description is very helpful for me.</P></BODY></HTML> Thu, 04 Sep 2014 06:50:48 GMT neilwu 2014-09-04T06:50:48Z https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45703#M33588 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10pt;">If I have a FQDN "abc.com" that have two DNS records 10.0.0.1 and 10.0.0.2.</SPAN></P><P><SPAN style="font-size: 10pt;"><SPAN style="line-height: 1.5em;">Then I create a&nbsp; </SPAN><SPAN style="line-height: 1.5em;">address object with FQDN type, and the value is "abc.com"</SPAN></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">When I use this object into security policy, how does it working? Does it become 10.0.0.1 or 10.0.0.2 ? or it will randomize <SPAN style="color: #505050; font-family: verdana;">according to catch?</SPAN></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">If a client connect to "abc.com", and the client's DNS (Ex. F5 GTM) <SPAN style="color: #505050; font-family: verdana;">resolve this FQDN become 10.0.0.1.</SPAN></SPAN></P><P><SPAN style="font-size: 10pt;">but in the security policy, the PaloAlto Firewall says "abc.com" is 10.0.0.2.</SPAN></P><P><SPAN style="font-size: 10pt;">I think that would be a problem because sometimes it can match the rule and sometimes doesn't.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">My purpose is if I use address object with FQDN then PaloAlto Firewall can </SPAN><SPAN style="color: #505050; font-size: 10pt; font-family: verdana;">resolve all about this FQDN's IP address, and apply to rule dynamically.</SPAN></P><P><SPAN style="color: #505050; font-size: 10pt; font-family: verdana;">If the address object with FQDN always just can <SPAN style="color: #505050; font-family: verdana;">resolve</SPAN> one IP address, I think It should not be use. doesn't it? </SPAN></P><P></P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P></BODY></HTML> Wed, 03 Sep 2014 17:40:07 GMT https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45703#M33588 neilwu 2014-09-03T17:40:07Z https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45704#M33589 <HTML><HEAD></HEAD><BODY><P>Hi Neilwu,</P><P></P><P>We can resolve upto 10 IPs per FQDN and keep in security policy. Make sure your DNS server resolve FQDN to all IP addresses, than and than its possible.</P><P></P><P>Refer following thread for more details.</P><P><A href="https://live.paloaltonetworks.com/message/17233">FQDN address object resolution (multiple IP's)</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 03 Sep 2014 17:44:27 GMT https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45704#M33589 hshah 2014-09-03T17:44:27Z https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45705#M33590 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/11710">neilwu</A></P><P></P><P>Do you see the IP address for which it is not working in the running security policy ? You can verify that through CLI:</P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">show running security-policy | match 10.0.0.1</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">show running security-policy | match 10.0.0.2</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Thanks<BR /></SPAN></P></BODY></HTML> Wed, 03 Sep 2014 18:09:23 GMT https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45705#M33590 bat 2014-09-03T18:09:23Z https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45706#M33591 <HTML><HEAD></HEAD><BODY><P>The definitive answer depends on what the DNS query responds and if the servers themselves change their IP (or there is more than one server always-listening and DNS is being used as a load-balancing technique).</P><P></P><P>I've experienced a scenario where a FQDN was being used in a security policy, and the destination host was changing its IP address to a pool of 3 IP addresses in a round-robin fashion. The DNS record was also dynamically updated to reflect the newly assigned IP on its non-authoritative section.</P><P></P><P>The Palo Alto Networks firewall does not run a DNS resolution on the fly for every SYN packet that goes out if a FQDN is used in a security policy, thus causing a practical problem. As you described "<SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.6000003814697px;"> sometimes it can match the rule and sometimes doesn't." </SPAN></P><P></P><P>There is a set frequency in which the firewall will resolve a FQDN and run a short commit to update the resulting security policy. The firewall is matching IP addresses and if a FQDN is used in the security policy, it will not work well with frequently changing records.</P><P></P><P>For cloud FQDN's there are different approaches.</P><P></P><P>The DNS records may rotate pointing to new IP's (like Facebook does):</P><P class="p1">computer$ nslookup www.facebook.com</P><P class="p1">Server: <SPAN style="font-size: 13.6000003814697px;">&lt;obscured&gt;</SPAN></P><P class="p1">Address: <SPAN style="font-size: 13.6000003814697px;">&lt;obscured&gt;</SPAN>#53</P><P class="p2"></P><P class="p1">Non-authoritative answer:</P><P class="p1">www.facebook.com canonical name = star.c10r.facebook.com.</P><P class="p1">Name: star.c10r.facebook.com</P><P class="p1">Address: 69.171.237.20</P><P></P><P>Or another approach is to give you a long list of possible addresses (like Google does):</P><P class="p1"><SPAN style="font-size: 13.6000003814697px;">computer$ </SPAN>nslookup www.google.com</P><P class="p1">Server: &lt;obscured&gt;</P><P class="p1">Address: <SPAN style="font-size: 13.6000003814697px;">&lt;obscured&gt;</SPAN>#53</P><P class="p2"></P><P class="p1">Non-authoritative answer:</P><P class="p1">Name: www.google.com</P><P class="p1">Address: 74.125.239.49</P><P class="p1">Name: www.google.com</P><P class="p1">Address: 74.125.239.48</P><P class="p1">Name: www.google.com</P><P class="p1">Address: 74.125.239.51</P><P class="p1">Name: www.google.com</P><P class="p1">Address: 74.125.239.52</P><P class="p1">Name: www.google.com</P><P class="p1">Address: 74.125.239.50</P><P></P><P>... When you have a long list of possible IP's, the Palo Alto Networks firewall will cache up to 10 IP addresses presented in the Non-authoritative section of the DNS query response. This does not mean that it will cache those IP's for a round-robin rotating DNS record.</P><P></P><P>Hope this helps,</P><P>Mariano Ivaldi</P></BODY></HTML> Wed, 03 Sep 2014 19:04:37 GMT https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45706#M33591 mivaldi 2014-09-03T19:04:37Z https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45707#M33592 <HTML><HEAD></HEAD><BODY><P>Thank you <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12px; background-color: #f6f6f6;">Mariano</SPAN>.</P><P>Your description is very helpful for me.</P></BODY></HTML> Thu, 04 Sep 2014 06:50:48 GMT https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/45707#M33592 neilwu 2014-09-04T06:50:48Z https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/556702#M112994 <P>Bumping and old thread here, but is there any practical approach to this round-robin resolving discrepancy between host and firewall?</P> <P>&nbsp;</P> <P>I have several FQDN-s to which internal host has to communicate to and facing exactly the same problem. IP address resolved by the client host differs from one present in firewall's cache at that time and security rule fails. I would configure all those load balanced IP addresses statically, but they get changed faster than the diapers on newborns <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 06 Sep 2023 08:22:51 GMT https://live.paloaltonetworks.com/t5/general-topics/about-address-object-with-fqdn-and-apply-it-to-security-policy/m-p/556702#M112994 Flang3r 2023-09-06T08:22:51Z