topic Re: Using Minemeld to do FQDN refresh for security rules in General Topics

Using Minemeld to do FQDN refresh for security rules

david.sherrill — Tue, 26 Feb 2019 16:47:55 GMT

So we recently started having trouble with our Palo's saying that the FQDN refresh job finished sucessfully but the items still TTL out and die. While waiting for support to look into it it occurs to me that I might beable to feed Minemeld a list of URL's and have it do the resolution and pump the results back to PAN. Anyone have any experience with this?

Re: Using Minemeld to do FQDN refresh for security rules

apackard — Tue, 26 Feb 2019 18:44:27 GMT

Can't help with the question, but I can say we've been having loads of issues with FQDN refreshes on our firewalls recently. Don't know why its started to get worse (or if its just perception) but we have multiple open tickets in this space...!

Re: Using Minemeld to do FQDN refresh for security rules

lmori — Thu, 28 Feb 2019 08:22:57 GMT

You could use Google DNS JSON API to do it:

click on the AWS.AMAZON prototype
click on NEW
Paste the following in the prototype section (changed the hostname to be resolved :-))

{
   "age_out": {
      "default": null,
      "interval": 257,
      "sudden_death": true
   },
   "attributes": {
      "confidence": 100,
      "share_level": "green",
      "type": "IPv4"
   },
   "extractor": "Answer[?type==`1`].data.{indicator: @}",
   "indicator": "indicator",
   "prefix": "dns",
   "source_name": "dns.PaloAltoNetworks",
   "url": "https://dns.google.com/resolve?name=www.paloaltonetworks.com"
}

Re: Using Minemeld to do FQDN refresh for security rules

david.sherrill — Thu, 28 Feb 2019 12:52:53 GMT

Going to try this today but it looks like it will work perfectly! Thanks I will report back!

Re: Using Minemeld to do FQDN refresh for security rules

david.sherrill — Thu, 28 Feb 2019 13:33:04 GMT

It definatly works as expected, one question though is there an easy way to add new entries, or am I basically making a new one everytime I need to add a new URL?

Thanks!

Re: Using Minemeld to do FQDN refresh for security rules

xhoms — Thu, 28 Feb 2019 13:41:54 GMT

Hi @david.sherrill ,

yes. I'm afraid you need a new node (miner) per FQDN (details in the Google DNS API specification at https://developers.google.com/speed/public-dns/docs/dns-over-https)

If you're planning to configure 10's or more of them then you might want to take a look to the FQDN-Service project (AWS Serverless Component you can deploy at almost no montly cost and that can resolve 100's of FQDN's at once)

Xavi