topic Re: Identifying FQDN object addresses in log files in General Topics

Identifying FQDN object addresses in log files

HITSSEC — Wed, 13 Mar 2013 22:14:51 GMT

We are using FQDN objects and network objects with a traditional IP address in rules to block traffic. How do you easily determine the associated object when all you see are IP addresses in the logs. When looking at the logs and resolving host names, the defined name appears for ip addressed objects but the dns reverse lookup value appears for the FQDN defined object not the FQDN defined name. It is useful when you have comments in the decription field (used to provide background info as to why we are blocking the destination) Any suggestions would be helpful.

Re: Identifying FQDN object addresses in log files

UhMayYeah — Thu, 14 Mar 2013 07:36:35 GMT

Logs wont show up the Object name.

You can check the FQDN related deatils using CLI command:

> request system fqdn show

FQDN Table : Last Request time Thu Mar 14 00:34:58 2013

--------------------------------------------------------------------------------

IP Address Remaining TTL Secs Since Refreshed

--------------------------------------------------------------------------------

VSYS : vsys1

www.google.com (Objectname test😞

2001:4860:4002:801:0:0:0:1013 49 12

74.125.227.144 49 12

74.125.227.145 49 12

74.125.227.146 49 12

74.125.227.147 49 12

74.125.227.148 49 12

VSYS : shared

"Unfortunately we can only show traffic logs by IP addresses. Basically when we use FQDN in address objects, the PA device will resolve the IPs for those objects and will use that in the policy. Hence you will always see traffic logs showing IP address. However, you can perhaps configure rules with just one specific FQDN as the source or destination. Then you can to use rule name with FQDN name to be able to track in the traffic log." -rkim

ref:

-AMeya

Re: Identifying FQDN object addresses in log files

HITSSEC — Fri, 15 Mar 2013 00:28:00 GMT

Thanks for the feedback akawimandan. If we created a second rule for fqdn objects being blocked we would still have to the problem of identifying the defined host. I did the fqdn show and so far I have 85 entries and growing. After a bit of digging I might use a program called FastResolver - Host Names/IP Addresses/MAC Address Scanner which can do the DNS resolutions and then easity sort the results by IP order for easy lookup. Your feedback and attached post showed me that there is no easy fix so I had to dig deeper.

Thanks - Phil