topic Re: PBF based on domain/URL/FQDN in General Topics

PBF based on domain/URL/FQDN

linusso — Wed, 18 Apr 2012 10:22:08 GMT

After research in KnowledgePoint, I understand application is not recommended to be used in PBF as single session will always be forwarded the same way. i.e. application shifts will not change the forwarding behavior.

If we want to forward traffics from internal to specified url URL e.g. www.facebook.com to 2nd ISP, is it possible?

Any simple way to fulfill this requirement? Can anyone confirm follow idea will work?

1. Create FQDN address object and use it as Destination address in PBF.

Assumption: We collect ALL FQDNs when user access www.facebook.com
Example:
www.facebook.com
facebook.com
pixel.facebook.com
profile.ak.fbcdn.net
static.ak.fbcdn.net
a8.sphotos.ak.fbcdn.net
external.ak.fbcdn.net

Problem:

Too many FQDN objects for single site
The FQDN initially resolves at commit time. Entries are subsequently refreshed when the DNS time-to-live expires (or is close to expiring).
We cannot confirm if all IP addresses are recorded if DNS reply multiple IP for a FQDN

Re: PBF based on domain/URL/FQDN

mikand — Wed, 18 Apr 2012 11:18:48 GMT

No, I think its becuase the session WILL change and this is bad later on.

An application can (as example) be first identified as unknown, and then web-browsing and then finally facebook.

If you PBF just facebook it means that the syn/synack/ack is unknown, the http request is web-browsing and when the server replies its identified as facebook. If facebook server suddently get a packet from a new ip (your ISP2) without a syn first it will (most likely) just drop the incoming traffic due to its own sessionhandling (whatever firewalls they use) - or it least its a common thing to do.

Which means you need to either use a forward-proxy which can split outgoing sessions depending on what the client requests or do this at L3 level by help of BGP magic.

Facebook uses their own AS (if im not mistaken), if you use BGP towards your two ISPs you can make sure that traffic towards facebook AS will use ISP2 as primary connection.

Another way is to do this at L4 level in the PA device, so outgoing TCP80 and TCP443 is always routed through ISP2 as primary way out.

You can also setup a combination so that your clients use a forward-proxy for normal traffic while traffic to *.facebook.com (clientside configuration in the browser) is not sent through the forward-proxy (but this just adds complexity and is just wrong 🙂

Re: PBF based on domain/URL/FQDN

linusso — Thu, 19 Apr 2012 01:54:07 GMT

Maybe I clarify the background first. Here is the summary, assume we have two sites:

Site A - Able to access any web sites.

Site B - Not able to access some web sites (mainly facebook, twitter, youtube), the meaning of NOT able is the WHOLE country users cannot access these web sites thanks to Great Firewall of China.

Currently Site A is using Microsoft ISA as FW + Proxy. ISA is also using in SiteB as firewall.

Site B users will configure Site A ISA IP as Forward-Proxy server manually when they want to access blocked site.

--------------------------------------------------------------------------------------

We want to propose PAN to replace both ISA but we also have to take the problem of Great Firewall.

Actually the reason we want to check if PBF work in our case is PAN cannot work as forward-proxy server, we cannot replace ISA in Site A. However I just found the latest version of Check Point FW can do this.

So I think in this case, BGP magic simple doesn't work, right?

Is there any workaround?

Re: PBF based on domain/URL/FQDN

mikand — Thu, 19 Apr 2012 08:05:49 GMT

Is it possible for site B to setup an encrypted tunnel towards site A?

Because then site B could force all its traffic (or whatever traffic you like) into this encrypted tunnel which will then pop out at site A in order to reach Internet.

I dont have the details of how the China Firewall works (just some random rumours) but sending your facebook request in cleartext sounds odd that its allowed through this "Firewall" (or just a matter of time before also that is being blocked).