Will FQDN names work when the name resolves to a content delivery service?

Reply
L1 Bithead

Will FQDN names work when the name resolves to a content delivery service?

For example:

H:\>dig www.microsoft.com

; <<>> DiG 9.2.3 <<>> www.microsoft.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;www.microsoft.com.             IN      A

;; ANSWER SECTION:

www.microsoft.com.      1937    IN      CNAME   toggle.www.ms.akadns.net.

toggle.www.ms.akadns.net. 20    IN      CNAME   g.www.ms.akadns.net.

g.www.ms.akadns.net.    20      IN      CNAME   lb1.www.ms.akadns.net.

lb1.www.ms.akadns.net.  265     IN      A       65.55.57.27

If you were allowing access to www.microsoft.com, wouldn't everything that these akands.net devices being allowed?

L6 Presenter

Re: Will FQDN names work when the name resolves to a content delivery service?

I dont know how roundrobin dns names are handled in the PA.

But regarding address objects containing FQDN instead of IP the FQDN is resolved during commit and then there is a script that every 20 (or if it was 30) minutes will recommit the FQDN portions to keep them up2date (because in the fabric only ip addresses are being handled).

In you case (if possible) you could add an url filter aswell if you only want to allow requests towards www.microsoft.com.

L1 Bithead

Re: Will FQDN names work when the name resolves to a content delivery service?

Well, my problem is that we are using authenticated access... Certain users groups have rights to access more URL groups than others...

How would I create a URL filter to allow un-authenticated access to www.microsoft.com while continuing to require authenticated access for the other type of URL groups?

Any help on this would be greatly appreciated!!

Highlighted

Re: Will FQDN names work when the name resolves to a content delivery service?

Well you can use a security Policy before all others

with a Custom URL Category as match Object and allow traffic through this Rule (supported since 4.1.x)

Like this:

Kind regards

Marco

L1 Bithead

Re: Will FQDN names work when the name resolves to a content delivery service?

That would be great if we were running 4.1... We're still on 4.0.12 at this point... With 17 firewalls and Panorama, upgrading is somewhat painful..

L4 Transporter

Re: Will FQDN names work when the name resolves to a content delivery service?

Panorama should make that easy. :smileywink:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!