https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/m-p/284726#M76340 <P>Dear community&nbsp;</P><P>&nbsp;</P><P>We are dealing with a request for a firewall rule which is supposed to allow SMB traffic (TCP 445) to a wildcard destination like *.subdomain.example.com out on the internet. So this made me think about how we should implement such a rule and I am not even sure it can be done or at least I don't know how. If this would be HTTP/HTTPS traffic we could create a customer URL category in order to be used in a rule with an allow action. But when the protocol isn't HTTP/HTTPS but something like SMB or SSH and so on, I don't think the URL category will be a factor. Also creating a FQDN object is not an option since it won'd allow wildcards.&nbsp;</P><P>&nbsp;</P><P>Any other ideas or suggestions from your side? Many thanks and regards</P><P>&nbsp;</P><P>Tibor</P> Fri, 23 Aug 2019 07:16:30 GMT TiborNad 2019-08-23T07:16:30Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/m-p/284726#M76340 <P>Dear community&nbsp;</P><P>&nbsp;</P><P>We are dealing with a request for a firewall rule which is supposed to allow SMB traffic (TCP 445) to a wildcard destination like *.subdomain.example.com out on the internet. So this made me think about how we should implement such a rule and I am not even sure it can be done or at least I don't know how. If this would be HTTP/HTTPS traffic we could create a customer URL category in order to be used in a rule with an allow action. But when the protocol isn't HTTP/HTTPS but something like SMB or SSH and so on, I don't think the URL category will be a factor. Also creating a FQDN object is not an option since it won'd allow wildcards.&nbsp;</P><P>&nbsp;</P><P>Any other ideas or suggestions from your side? Many thanks and regards</P><P>&nbsp;</P><P>Tibor</P> Fri, 23 Aug 2019 07:16:30 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/m-p/284726#M76340 TiborNad 2019-08-23T07:16:30Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/m-p/284738#M76342 <P>if using internal DNS with an external forwarder it would be possible to log all requests/responses for&nbsp;<SPAN>*.subdomain.example.com and forward these via API to a dynamic address group on the PA.&nbsp;</SPAN></P><P>&nbsp;</P><P>not for me.... but it is an option...</P> Fri, 23 Aug 2019 09:25:23 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/m-p/284738#M76342 Mick_Ball 2019-08-23T09:25:23Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/m-p/284747#M76343 <P>Thank you very much. This is a interesting option I would never have considered. Your input is very much appreciated.&nbsp;</P><P>&nbsp;</P><P>Any other suggestions? Or can someone confirm my feeling that URL categories will not have any impact at all?</P> Fri, 23 Aug 2019 11:33:32 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/m-p/284747#M76343 TiborNad 2019-08-23T11:33:32Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/m-p/284841#M76355 <P>The Url categories are determined by http&nbsp;“Get” command so no chance... &nbsp;the only other time url cats will kick in is when perhaps something like smtp traffic is encrypted via tls. palo&nbsp;will then use certificate details to guess the category&nbsp;Just like undecrypted https traffic.</P><P>&nbsp;</P><P>wildcards cannot be used in fqdn as palo&nbsp;turns your string into a regex&nbsp;kinda dns search... the search criteria is within square brackets and cannot include some special characters such as an asterisk.</P><P>&nbsp;</P><P>Sorry wouldnot acept unencrypted but it has now...</P> Fri, 23 Aug 2019 18:20:58 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/m-p/284841#M76355 Mick_Ball 2019-08-23T18:20:58Z