topic Re: FQDN Policy in General Topics

FQDN Policy

aguley — Thu, 12 Jun 2014 17:50:54 GMT

Is it possible to use a wildcard when creating a policy based off of a fqdn?

Thanks

Re: FQDN Policy

HULK — Thu, 12 Jun 2014 19:27:24 GMT

Yes, you can add FQDN address object into the security policy.

FYI:

Step-1

Step-2:

Thanks

Re: FQDN Policy

aguley — Thu, 12 Jun 2014 19:32:21 GMT

Thanks for the response. I was wondering though is there a way I could do something like *.blackberry.com. So if the user is hitting test123.blackberry.com one time then the next time they go to test1234.blackberry.com it will allow them to the site without having to add both sites individually?

Thanks

Re: FQDN Policy

HULK — Thu, 12 Jun 2014 20:01:40 GMT

Hello,

A fully qualified domain name (FQDN) should specify its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone. Hence *.blackberry.com will not work as FQDN address object.

Thanks

Re: FQDN Policy

andreip — Mon, 28 Sep 2015 07:35:41 GMT

Even the thread is closed, there was a clarification published after a solution was provided and accepted: an internal verification will prohibit using wildcard characters in FQDN objects declaration - DOC-8222, RegEx Pattern for FQDN Address Object, now available as https://live.paloaltonetworks.com/t5/Management-Articles/RegEx-Pattern-for-FQDN-Address-Object/ta-p/60257. When using FQDN object, one should consider the maximum number of IPs mapped to a FQDN object (DOC-3371, How to Configure and Test FQDN Objects, now available as https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/ta-p/61903) and the default refresh timer (30 minutes, DOC-5085, How to Change the FQDN Refresh Timers, now available at https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-FQDN-Refresh-Timers/ta-p/55533).

Re: FQDN Policy

OtakarKlier — Tue, 22 Sep 2015 20:41:08 GMT

If you are using URL filtering, you can create a custom URL category and apply that category to the security policy.

Re: FQDN Policy

pvargas — Tue, 30 Jan 2018 17:00:33 GMT

I think this only works if you are going to use http or https .

Re: FQDN Policy

Kumade — Fri, 01 Feb 2019 15:51:45 GMT

Hi All,

For FQDN objects firewall does the nslookup at defined interval (default 30 minutes) to verify the IP address. Is this true for custom URL category as well?

Regards,

Deepak Kumar

Re: FQDN Policy

aleksandar.astardzhiev — Mon, 04 Feb 2019 14:34:37 GMT

No.

With FQDN object your firewall is evaluating the connection at the very first packet, it will check if the destination address of the SYN (for example) is matching the returned IP address for the FQDN object.

With URL category, you need to allow any as destination to allow the connection to establish, once the application data start to pass through the firewall it will evaluate the rulebase again and if address from the actual data is matching the rule the traffic will be allowed to continue. If not - the firewall will deny the rest of the connection.

If the connection is encrypted with SSL/TLS I believe the firewall will use the server certificate