Allow wildcard DNS in a Network Address

cancel
Showing results for 
Search instead for 
Did you mean: 

Allow wildcard DNS in a Network Address

L1 Bithead

Hello all,

 

We have setup a Hybrid Connection Wizard between our on-prem Exchange server and Office 365, Microsoft has provided the following link for reference in regards to firewall considerations (https://bit.ly/3dpfiZs)

 

under SMTP port 25 - the documents lists *.mail.protection.outlook.com as a required under ID#10.

Can anyone advise on the easiest method to allow this as a dynamic address to add to our firewall rule for port 25 traffic?

 

I found this article ( https://bit.ly/2L5CtM1) but it seems to be applied to URL whitelisting etc.

 

Would be great if PA or other member can share this element of the Hybrid Configuration  Wizard and how they overcame this issue.

1 ACCEPTED SOLUTION

Accepted Solutions

@C4c-1942,

 

Custom URL category and FQDN object are different configurations all together and used for different requirements.

 

FQDN object is address object which simply can be used as source Address or Destination Address under Security Policy. For FQDN objects, firewall sends query to its DNS server and get the list of IP addresses associated with that FQDN. Yes Palo Alto maps maximum 10 IP addresses to that FQDN object. And you can't add wildcard domain as a FQDN object as per it's name. It will accept only complete domain.

 

Now the solution that I am talking about is creation of Custom URL Category (type URL list). You can create custom URL category and add single/multiple wildcard domains under it. Once it is created. it can be called in Security Policy under URL category tab.

 

For your requirement, security policy would be,

Source IP - Required IP/Network

Destination - Any

APP ID/Service - Required one

URL category - Custom category created by you.

Action - Allow

 

This policy will allow only traffic which is specific to your desired wildcard domain specified under Custom URL category.

You can refer below article and follow Option 1 : Use URL Category.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltmCAC

 

Hope it helps!

Mayur

 

 

Mayur

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@C4c-1942,

 

 

1. Create Custom URL category and add your wildcard domain in it i.e. *.mail.protection.outlook.com

2. Call this custom URL category under Security Policy --> URL Category tab.

3. Configure required Source and Destination zones/IPs and APP-ID /services in the policy.

 

Currently this is the best option available to achieve your requirement.

 

Mayur

Mayur

i Mayur,

 

 

many thanks for your reply, im just learning the PA set-up so will try and implement and come back to you on the results

 

thanks for your time! 🙂

Hi Mayur,

 

This is what im getting back from the firewall team:-

 

When an FQDN object is committed to the system, the management plane sends out periodic DNS queries to populate this object with IP addresses mapped from the DNS reply. These mapped IP addresses are then be pushed down to the dataplane, where they're used inside the object in the security policy. On the dataplane, this object includes only the IP addresses it receives from the management plane, but no domain information. Each FQDN object on the dataplane is limited to a maximum of 10 IP addresses. No actual URL lookups are performed, which is why a wildcard cannot be used.

@C4c-1942,

 

Custom URL category and FQDN object are different configurations all together and used for different requirements.

 

FQDN object is address object which simply can be used as source Address or Destination Address under Security Policy. For FQDN objects, firewall sends query to its DNS server and get the list of IP addresses associated with that FQDN. Yes Palo Alto maps maximum 10 IP addresses to that FQDN object. And you can't add wildcard domain as a FQDN object as per it's name. It will accept only complete domain.

 

Now the solution that I am talking about is creation of Custom URL Category (type URL list). You can create custom URL category and add single/multiple wildcard domains under it. Once it is created. it can be called in Security Policy under URL category tab.

 

For your requirement, security policy would be,

Source IP - Required IP/Network

Destination - Any

APP ID/Service - Required one

URL category - Custom category created by you.

Action - Allow

 

This policy will allow only traffic which is specific to your desired wildcard domain specified under Custom URL category.

You can refer below article and follow Option 1 : Use URL Category.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltmCAC

 

Hope it helps!

Mayur

 

 

Mayur

L1 Bithead

I know this post has already an accepted solution but it does not seem to answer the question.

 

The question is how to allowed traffic on port 25 from *.mail.protection.outlook.com.  I don't see how adding a URL category to the policy answers this since the traffic is coming in on port 25 and will not be using URLs.

 

 

I've just run into this problem converting Check Point's 'domain' objects (which match a parent and any subdomain). Expedition converted the objects to a group containing a) the domain suffix and b) a www record, assuming that's the only subdomain we needed 🙂

 

I have found the URL category match criteria in a rule does NOT appear to apply to connections that don't use an actual URL e.g. ping or ssh to *.amazonaws.com

 

In which case how would we allow ssh access to *.amazonaws.com in PAN-OS?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!