topic Re: URL Object FQDN settings in General Topics

URL Object FQDN settings

clonesheep — Tue, 07 Aug 2018 09:22:19 GMT

Hi,

i must set the firewall to connect to this webpage www.google.com/recaptcha/api/siteverify

I have a object -> adress groups -> own address group for some other adresses (like itunes.apple.com and so on. There I musst now inser this domain

www.google.com/recaptcha/api/siteverify

But i Can set this as a FQDN like the others because "The value in this field is invalid."

So anyone an idea how to let the server connect to this domain?

Its for the Sophos Mobile Control service. https://community.sophos.com/kb/en-us/113217

Re: URL Object FQDN settings

Remo — Tue, 07 Aug 2018 09:28:56 GMT

Hi @clonesheep

FQDN objects for services from Google could be problematic anyway as the IP behind the FQDN could change fast and then the firewall does not allow the traffic until the FQDN object os refreshed.

In your case you could use a custom URL category to allow exactly this URL (this requires TLS decryption to work as the firewall only sees www.google.com without decrypting the traffic)

Re: URL Object FQDN settings

clonesheep — Tue, 07 Aug 2018 09:48:55 GMT

Hi @Remo

sounds good.Thanks.

But don`t understand what you mean with TLS decryption?

Re: URL Object FQDN settings

Remo — Tue, 07 Aug 2018 09:58:09 GMT

@clonesheep

Does the term "SSL decryption" mean more to you? (I try to avoid using the word SSL as this is TLS in the current versions)

What I meant you need the firewall to decrypt this HTTPS traffic (-->decryption policiy), because as I wrote the firewall does not see the actual http-get request without decryption.

Re: URL Object FQDN settings

clonesheep — Tue, 07 Aug 2018 10:15:51 GMT

ah decryption was no topic until today because we have a ssl proxy.

so is must configure a policies -> decryption -> decryption policy rule ..and what kind of options? SSL Forward Proxy?

Re: URL Object FQDN settings

Remo — Tue, 07 Aug 2018 10:29:01 GMT

Yes exactly. Because you already use another device for this already you want to make sure that really only this traffic here will be decrypted (server as source and maybe a second custom url category that contains "www.google.com")