topic Wildcard domain + destination question in General Topics

Wildcard domain + destination question

drewdown — Tue, 21 Jan 2020 14:39:18 GMT

Hi..I want to be able to allow a specific set of apps to *.github.com. To do this would I simply specify a custom URL with *.github.com and destination of ANY? That would then only allow those apps to *.github.com? I ask just because I am wary of having the destination as ANY and not clear on which takes precedence.

Currently I have it locked down to destination IPs and FQDN of github.com but that doesn't always work because IPs change and some of the valid traffic gets denied.

Re: Wildcard domain + destination question

Remo — Tue, 21 Jan 2020 14:57:52 GMT

Hi @drewdown

Specifying the destination IP addresses as any will work perfectly fine. The downside of this way is that the tcp handshake really is allowed to any IP. As soon as the firewall then sees the URL (in http get or tls client hello/server hello) then it will match this rule finally and the traffic is allowed if it matches *.github.com. If you would like to have it a little more restricted I recommend to configure all github IPs as destination. You can find the IP addresses here: https://api.github.com/meta

(If you are using minemeld you can have minemeld dynamically import the IPs regularly or of couse you could also script this workflow and regularly check if you still have all the required IPs configure)

Re: Wildcard domain + destination question

drewdown — Tue, 21 Jan 2020 15:25:05 GMT

With dest as any is there a downside to it? Meaning if it is set to ANY is it going to match and allow before it sees github or an IP related to github?

No interest in manually entering all of those and I want to lock this down. I do use minemeld for o356 URLs but its been awhile since I did anything with it. Got a link to how I can configure it to pull github IPs?

Edit I changed the dest to ANY and its still denying SSH to 'lb-140-82-114-3.iad.github.com' eventhough I have that policy to allow *.github.com. Honestly now that I look at it I don't know whats going on because before I made any changes it appears it was allowed sometimes and not others to same URL/IP over ssh. Anything before 7:11 was locked down to destination, the 7:11 attempt was just using the URL category with destination as ANY.

Also it seems I went over this before and URL Category ONLY works http/SSL traffic and not SSH so I have to either allow github to ANY, configure all those IPs or use minemeld. For all the cool features PAN has somethings leave a lot to be desired.

Re: Wildcard domain + destination question

Remo — Tue, 21 Jan 2020 15:44:05 GMT

Using only an URL category can potentially allow some packets too much - at least the tcp handshake. Another downside is that a connection could go to ANY IP as long as there is something that matches the URL category in the http get request. And yes, URL catehories only work for http/https connections - not ssh.

So to lock it down and to also allow ssh to only github and not to any the best way is to use minemeld. There should be a json miner that you can use to pull the github IPs.