Allow wildcard DNS in a Network Address

Reply
Highlighted
L1 Bithead

Allow wildcard DNS in a Network Address

Hello all,

 

We have setup a Hybrid Connection Wizard between our on-prem Exchange server and Office 365, Microsoft has provided the following link for reference in regards to firewall considerations (https://bit.ly/3dpfiZs)

 

under SMTP port 25 - the documents lists *.mail.protection.outlook.com as a required under ID#10.

Can anyone advise on the easiest method to allow this as a dynamic address to add to our firewall rule for port 25 traffic?

 

I found this article ( https://bit.ly/2L5CtM1) but it seems to be applied to URL whitelisting etc.

 

Would be great if PA or other member can share this element of the Hybrid Configuration  Wizard and how they overcame this issue.

Tags (3)

Accepted Solutions
Highlighted
L6 Presenter

@C4c-1942,

 

Custom URL category and FQDN object are different configurations all together and used for different requirements.

 

FQDN object is address object which simply can be used as source Address or Destination Address under Security Policy. For FQDN objects, firewall sends query to its DNS server and get the list of IP addresses associated with that FQDN. Yes Palo Alto maps maximum 10 IP addresses to that FQDN object. And you can't add wildcard domain as a FQDN object as per it's name. It will accept only complete domain.

 

Now the solution that I am talking about is creation of Custom URL Category (type URL list). You can create custom URL category and add single/multiple wildcard domains under it. Once it is created. it can be called in Security Policy under URL category tab.

 

For your requirement, security policy would be,

Source IP - Required IP/Network

Destination - Any

APP ID/Service - Required one

URL category - Custom category created by you.

Action - Allow

 

This policy will allow only traffic which is specific to your desired wildcard domain specified under Custom URL category.

You can refer below article and follow Option 1 : Use URL Category.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltmCAC

 

Hope it helps!

Mayur

 

 



Mayur

View solution in original post


All Replies
Highlighted
L6 Presenter

@C4c-1942,

 

 

1. Create Custom URL category and add your wildcard domain in it i.e. *.mail.protection.outlook.com

2. Call this custom URL category under Security Policy --> URL Category tab.

3. Configure required Source and Destination zones/IPs and APP-ID /services in the policy.

 

Currently this is the best option available to achieve your requirement.

 

Mayur



Mayur
Highlighted
L1 Bithead

i Mayur,

 

 

many thanks for your reply, im just learning the PA set-up so will try and implement and come back to you on the results

 

thanks for your time!

Highlighted
L1 Bithead

Hi Mayur,

 

This is what im getting back from the firewall team:-

 

When an FQDN object is committed to the system, the management plane sends out periodic DNS queries to populate this object with IP addresses mapped from the DNS reply. These mapped IP addresses are then be pushed down to the dataplane, where they're used inside the object in the security policy. On the dataplane, this object includes only the IP addresses it receives from the management plane, but no domain information. Each FQDN object on the dataplane is limited to a maximum of 10 IP addresses. No actual URL lookups are performed, which is why a wildcard cannot be used.

Highlighted
L6 Presenter

@C4c-1942,

 

Custom URL category and FQDN object are different configurations all together and used for different requirements.

 

FQDN object is address object which simply can be used as source Address or Destination Address under Security Policy. For FQDN objects, firewall sends query to its DNS server and get the list of IP addresses associated with that FQDN. Yes Palo Alto maps maximum 10 IP addresses to that FQDN object. And you can't add wildcard domain as a FQDN object as per it's name. It will accept only complete domain.

 

Now the solution that I am talking about is creation of Custom URL Category (type URL list). You can create custom URL category and add single/multiple wildcard domains under it. Once it is created. it can be called in Security Policy under URL category tab.

 

For your requirement, security policy would be,

Source IP - Required IP/Network

Destination - Any

APP ID/Service - Required one

URL category - Custom category created by you.

Action - Allow

 

This policy will allow only traffic which is specific to your desired wildcard domain specified under Custom URL category.

You can refer below article and follow Option 1 : Use URL Category.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltmCAC

 

Hope it helps!

Mayur

 

 



Mayur

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!