Identifying FQDN object addresses in log files

Reply
L4 Transporter

Identifying FQDN object addresses in log files

We are using FQDN objects and network objects with a traditional IP address in rules to block traffic. How do you easily determine the associated object when all you see are IP addresses in the logs. When looking at the logs and resolving host names, the defined name appears for ip addressed objects but the dns reverse lookup value appears for the FQDN defined object not the FQDN defined name.   It is useful when you have comments in the decription field (used to provide background info as to why we are blocking the destination)  Any suggestions would be helpful.

Tags (1)
L5 Sessionator

Re: Identifying FQDN object addresses in log files

Logs wont show up the Object name.

You can check the FQDN related deatils using CLI command:

> request system fqdn show

FQDN Table : Last Request time Thu Mar 14 00:34:58 2013

--------------------------------------------------------------------------------

                      IP Address     Remaining TTL     Secs Since Refreshed

--------------------------------------------------------------------------------

VSYS  : vsys1

www.google.com  (Objectname test):

   2001:4860:4002:801:0:0:0:1013                49                       12

                  74.125.227.144                49                       12

                  74.125.227.145                49                       12

                  74.125.227.146                49                       12

                  74.125.227.147                49                       12

                  74.125.227.148                49                       12

VSYS  : shared

"Unfortunately we can only show traffic logs by IP addresses. Basically when we use FQDN in address objects, the PA device will resolve the IPs for those objects and will use that in the policy. Hence you will always see traffic logs showing IP address. However, you can perhaps configure rules with just one specific FQDN as the source or destination. Then you can to use rule name with FQDN name to be able to track in the traffic log." -rkim

ref:

-AMeya

L4 Transporter

Re: Identifying FQDN object addresses in log files


Thanks for the feedback akawimandan.   If we created a second rule for fqdn objects  being blocked we would still have to the problem of identifying the defined host.  I did the fqdn show and so far I have 85 entries and growing.   After a bit of digging I might use a program called    FastResolver - Host Names/IP Addresses/MAC Address Scanner which can do the DNS resolutions and then easity sort the results by IP order for easy lookup.  Your feedback and attached post showed me that there is no easy fix so I had to dig deeper.

Thanks - Phil

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!