Wildcards in address objects

Reply
L2 Linker

Wildcards in address objects

Instead of creating several address objects for the many MS update servers available, and then creating a group to plug into a security policy that allows my WSUS server to get updates, is there a way to use wildcards in the address objects?  MS updates lists multiple locations available for updates:

This list could be condensed down to perhaps four address objects:

  1. *.windowsupdate.microsoft.com
  2. *.update.microsoft.com
  3. *.download.windowsupdate.com
  4. *.windowsupdate.com

which could be put into a address group and use the group in the security policy destination.  Then I only have to move objects into and out of the group as MS changes and I don't have to worry about changing a rule.  If they add or remove servers within the wildcard domains, then I don't need to make any changes.

Thanks,

Bart

L4 Transporter

Re: Wildcards in address objects

Hi Bart,

I assume following is what you are trying to do:-

When you log into the WEB UI:-

Objects----> Addresses --->Click Add

You would like to add the FQDN as a wildcard address.

Name:- testobject

Type: FQDN     *.windowsupdate.microsoft.com 

SEE ATTACHMENT :- wildcard.PNG

The above FQDN syntax is not valid and cannot be used.

If this is what you are trying to do, Wildcards in address objects cannot be used (at this time).

You would have to create multiple addresses and encapsulate them in a group and bind it to the policy.

Regards,

Parth

L2 Linker

Re: Wildcards in address objects

Yes, I had tried that already and discovered I couldn't do it.  I'm wondering if there is any other way to accomplish this.

L4 Transporter

Re: Wildcards in address objects

Hi Bart,


You can use those wildcards in the URL filtering profile and can have in the Explicit allow/block list.The URL filtering Profile can then be applied to the policy.

Go to OBJECTS-->URL Filtering Profile
List teh following URLS in the Allow list:-
*.windowsupdate.microsoft.com

*.update.microsoft.com

*.download.windowsupdate.com

*.windowsupdate.com

Please see the attcment :- url-filtering.PNG

This way you can use the Wildcards BUT to only ALLOW AND DENY. 
Let me know if that helps.

Regards,Parth

L2 Linker

Re: Wildcards in address objects

Thanks,

I had looked at that before writing the post and was wondering if that wouldn't work. I'll give it a try.

L6 Presenter

Re: Wildcards in address objects

A custom url-filtering along with only allow appid:ms-update (and set service:default-application) should do it.

A sidenote is that SSL decryption doesnt work for ms update traffic (since they use their own built in certs and doesnt allow any other, at least if you use WSUS or such) so Im not sure how widely open the above rule might be in reality.

Im not sure how you can in a good way limit it down further. Perhaps adding dstip:65.55.27.0/24 but these ip's I guess might differ from time to time along with being different depending on when and from where you query the DNS.

Edit: Seems it was true regarding various ip's for windowsupdate... so make that dstip:65.55.0.0/16 :smileysilly:

Highlighted
L1 Bithead

Re: Wildcards in address objects

I used a Custom URL Category along with ms-update application filtering but it was not enough to just list the wildcard versions of the FQDN's, I also had to list the FQDN without the *.

ie. This is what worked for me with PANOS 4.1.10

windowsupdate.microsoft.com

*.windowsupdate.microsoft.com

update.microsoft.com

*.update.microsoft.com

download.windowsupdate.com

*.download.windowsupdate.com

windowsupdate.com

*.windowsupdate.com

Not applicable

Re: Wildcards in address objects

Yes, this works, but only for HTTP. How to make this work for FTP?

L6 Presenter

Re: Wildcards in address objects

If you want to limit which FTP sites should be possible to visit you need to use FQDN or setup a dynamic address object which you then "feed" by a script running on some server (to inform the PA device which ip addresses this current adress object/group should point at).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!