This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About address object with FQDN and apply it to security policy.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

About address object with FQDN and apply it to security policy.

Go to solution
neilwu
L2 Linker

‎09-03-2014 10:40 AM

If I have a FQDN "abc.com" that have two DNS records 10.0.0.1 and 10.0.0.2.

Then I create a  address object with FQDN type, and the value is "abc.com"


When I use this object into security policy, how does it working? Does it become 10.0.0.1 or 10.0.0.2 ? or it will randomize according to catch?


If a client connect to "abc.com", and the client's DNS (Ex. F5 GTM) resolve this FQDN become 10.0.0.1.

but in the security policy, the PaloAlto Firewall says "abc.com" is 10.0.0.2.

I think that would be a problem because sometimes it can match the rule and sometimes doesn't.

My purpose is if I use address object with FQDN then PaloAlto Firewall can resolve all about this FQDN's IP address, and apply to rule dynamically.

If the address object with FQDN always just can resolve one IP address, I think It should not be use. doesn't it?





0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
mivaldi
L7 Applicator

‎09-03-2014 12:04 PM

The definitive answer depends on what the DNS query responds and if the servers themselves change their IP (or there is more than one server always-listening and DNS is being used as a load-balancing technique).

I've experienced a scenario where a FQDN was being used in a security policy, and the destination host was changing its IP address to a pool of 3 IP addresses in a round-robin fashion. The DNS record was also dynamically updated to reflect the newly assigned IP on its non-authoritative section.

The Palo Alto Networks firewall does not run a DNS resolution on the fly for every SYN packet that goes out if a FQDN is used in a security policy, thus causing a practical problem. As you described " sometimes it can match the rule and sometimes doesn't."

There is a set frequency in which the firewall will resolve a FQDN and run a short commit to update the resulting security policy. The firewall is matching IP addresses and if a FQDN is used in the security policy, it will not work well with frequently changing records.

For cloud FQDN's there are different approaches.

The DNS records may rotate pointing to new IP's (like Facebook does):

computer$ nslookup www.facebook.com

Server: <obscured>

Address: <obscured>#53

Non-authoritative answer:

www.facebook.com canonical name = star.c10r.facebook.com.

Name: star.c10r.facebook.com

Address: 69.171.237.20

Or another approach is to give you a long list of possible addresses (like Google does):

computer$ nslookup www.google.com

Server: <obscured>

Address: <obscured>#53

Non-authoritative answer:

Name: www.google.com

Address: 74.125.239.49

Name: www.google.com

Address: 74.125.239.48

Name: www.google.com

Address: 74.125.239.51

Name: www.google.com

Address: 74.125.239.52

Name: www.google.com

Address: 74.125.239.50

... When you have a long list of possible IP's, the Palo Alto Networks firewall will cache up to 10 IP addresses presented in the Non-authoritative section of the DNS query response. This does not mean that it will cache those IP's for a round-robin rotating DNS record.

Hope this helps,

Mariano Ivaldi

View solution in original post

5 REPLIES 5

Go to solution
hshah
L6 Presenter

‎09-03-2014 10:44 AM

Hi Neilwu,

We can resolve upto 10 IPs per FQDN and keep in security policy. Make sure your DNS server resolve FQDN to all IP addresses, than and than its possible.

Refer following thread for more details.

FQDN address object resolution (multiple IP's)

Regards,

Hardik Shah

0 Likes Likes

Go to solution
bat
L5 Sessionator

‎09-03-2014 11:09 AM

Hi neilwu

Do you see the IP address for which it is not working in the running security policy ? You can verify that through CLI:

show running security-policy | match 10.0.0.1

show running security-policy | match 10.0.0.2


Thanks

0 Likes Likes

Go to solution
mivaldi
L7 Applicator

‎09-03-2014 12:04 PM

The definitive answer depends on what the DNS query responds and if the servers themselves change their IP (or there is more than one server always-listening and DNS is being used as a load-balancing technique).

I've experienced a scenario where a FQDN was being used in a security policy, and the destination host was changing its IP address to a pool of 3 IP addresses in a round-robin fashion. The DNS record was also dynamically updated to reflect the newly assigned IP on its non-authoritative section.

The Palo Alto Networks firewall does not run a DNS resolution on the fly for every SYN packet that goes out if a FQDN is used in a security policy, thus causing a practical problem. As you described " sometimes it can match the rule and sometimes doesn't."

There is a set frequency in which the firewall will resolve a FQDN and run a short commit to update the resulting security policy. The firewall is matching IP addresses and if a FQDN is used in the security policy, it will not work well with frequently changing records.

For cloud FQDN's there are different approaches.

The DNS records may rotate pointing to new IP's (like Facebook does):

computer$ nslookup www.facebook.com

Server: <obscured>

Address: <obscured>#53

Non-authoritative answer:

www.facebook.com canonical name = star.c10r.facebook.com.

Name: star.c10r.facebook.com

Address: 69.171.237.20

Or another approach is to give you a long list of possible addresses (like Google does):

computer$ nslookup www.google.com

Server: <obscured>

Address: <obscured>#53

Non-authoritative answer:

Name: www.google.com

Address: 74.125.239.49

Name: www.google.com

Address: 74.125.239.48

Name: www.google.com

Address: 74.125.239.51

Name: www.google.com

Address: 74.125.239.52

Name: www.google.com

Address: 74.125.239.50

... When you have a long list of possible IP's, the Palo Alto Networks firewall will cache up to 10 IP addresses presented in the Non-authoritative section of the DNS query response. This does not mean that it will cache those IP's for a round-robin rotating DNS record.

Hope this helps,

Mariano Ivaldi

Go to solution
neilwu
L2 Linker

‎09-03-2014 11:50 PM

Thank you Mariano.

Your description is very helpful for me.

0 Likes Likes

Go to solution
Flang3r
L2 Linker
In response to mivaldi

‎09-06-2023 01:21 AM - edited ‎09-06-2023 01:22 AM

Bumping and old thread here, but is there any practical approach to this round-robin resolving discrepancy between host and firewall?

 

I have several FQDN-s to which internal host has to communicate to and facing exactly the same problem. IP address resolved by the client host differs from one present in firewall's cache at that time and security rule fails. I would configure all those load balanced IP addresses statically, but they get changed faster than the diapers on newborns 😞

Pushing zeros and ones.
0 Likes Likes
  • 1 accepted solution
  • 9307 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks