FQDN Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

FQDN Policy

Not applicable

Is it possible to use a wildcard when creating a policy based off of a fqdn?

Thanks

1 accepted solution

Accepted Solutions

Hello,

A fully qualified domain name (FQDN) should specify its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone. Hence *.blackberry.com will not work as FQDN address object.

Thanks

View solution in original post

8 REPLIES 8

L7 Applicator

Yes, you can add  FQDN address object into the security policy.

FYI:

Step-1

FQDN-1.JPG

Step-2:

FWDN-2.JPG

Thanks

Thanks for the response.  I was wondering though is there a way I could do something like *.blackberry.com.  So if the user is hitting test123.blackberry.com one time then the next time they go to test1234.blackberry.com it will allow them to the site without having to add both sites individually?

Thanks

Hello,

A fully qualified domain name (FQDN) should specify its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone. Hence *.blackberry.com will not work as FQDN address object.

Thanks

L2 Linker

Even the thread is closed, there was a clarification published after a solution was provided and accepted: an internal verification will prohibit using wildcard characters in FQDN objects declaration - DOC-8222, RegEx Pattern for FQDN Address Object, now available as https://live.paloaltonetworks.com/t5/Management-Articles/RegEx-Pattern-for-FQDN-Address-Object/ta-p/... When using FQDN object, one should consider the maximum number of IPs mapped to a FQDN object (DOC-3371, How to Configure and Test FQDN Objects, now available as https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/t... and the default refresh timer (30 minutes, DOC-5085, How to Change the FQDN Refresh Timers, now available at https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-FQDN-Refresh-Timers/ta...

If you are using URL filtering, you can create a custom URL category and apply that category to the security policy.

I think this only works if you are going to use http or https .

Hi All,

 

For FQDN objects firewall does the nslookup at defined interval (default 30 minutes) to verify the IP address. Is this true for custom URL category as well?

 

Regards,

Deepak Kumar

No.

 

With FQDN object your firewall is evaluating the connection at the very first packet, it will check if the destination address of the SYN (for example) is matching the returned IP address for the FQDN object.

 

With URL category, you need to allow any as destination to allow the connection to establish, once the application data start to pass through the firewall it will evaluate the rulebase again and if address from the actual data is matching the rule the traffic will be allowed to continue. If not - the firewall will deny the rest of the connection.

 

If the connection is encrypted with SSL/TLS I believe the firewall will use the server certificate

  • 1 accepted solution
  • 8925 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!