custom url category with non http and https port.

HI Rene,

I have requirement from customer to open port 389 and 4172 for eg *.xyz domain.

So I created custom category *.xyz.com and have to create rule by calling this category into rule and will allow only 389 and 4172 ports.

As far my understanding url category work only for ssl and web-browsing traffic, so just wanted to know if I keep url category in rule for port port 389 and 4172 will that rule work?

Thanks

Dhananjay

Hi,

ok now I got you. So you are correct URL filtering is working with http/https only. Futhermore it is kind of uncommon to have URL filtering active in inwards direction. So I saw the request for port 389 which is basically LDAP, dont know for 4172. However please make yourself familiar with the conecpt of an "application firewall" - we do not open ports anymore. But in term of customers request you are right, this is not going to work.

Hi @DhananjayBhakte ,

It sounds like you need FQDN not URL. 

You can use FQDN object as source or destination address in the policy. Firewall will query the DNS server and use this fqdn to resolve it to IP address. The received IP will be cached for configured amount of time (probably 30min was the default, but not sure). 

Given the port from your description it sound be more reasonable to use FQDN instead of URL filtering. 

To be more precise URL custom category  will work with web-based application. If you think for a bit it is logical - firewall needs to know which part of the traffic is the URL, so it doesn't matter what port you are using

HI Alexzandar,

Traffic is not URL traffic and its application is not applicable. 

For known fqdn e.g abc.xyz.com it is possible to write rule however fqdn is not fixed, customer says fqdn will change every time but domain (xyz.com) would be fixed, So my query is Can I allow wildcast *.xyz.com instead of single fqdn in security policy using custom url category for custom ports.?

Thanks

Dhananjay Bhakte

---

@DhananjayBhakte wrote:

HI tellthebell

 

Traffic is not URL traffic and its application is not applicable. 

For known fqdn e.g abc.xyz.com it is possible to write rule however fqdn is not fixed, customer says fqdn will change every time but domain (xyz.com) would be fixed, So my query is Can I allow wildcast *.xyz.com instead of single fqdn in security policy using custom url category for custom ports.?

 

Thanks

Dhananjay Bhakte

---

You can use FQDN object as source or destination address in the policy. Firewall will query the DNS server and use this fqdn to resolve it to IP address. The received IP will be cached for configured amount of time (probably 30min was the default, but not sure). 

Given the port from your description it sound be more reasonable to use FQDN instead of URL filtering. 

HI Couvertjy,

Now I allow policy as below,

Source Zone :- Internet

Source IP address:-  x.x.x.x

Destination Zone :- Lan

Destination IP address:- Any

Custom URL Categary :- *.xyz.com

Port :389 and 8759

Action : Allow

It is working, but my question is still there as *.xyz.com is hosted on internet so how can firewall allowing  xyz.com fqdn to access ports on Lan zone through Custom URL category?. So here URL category is acting as source IP . So is it possible that custom url category can act as source or destination IP.

Thanks

Dhananjay Bhakte

let me correct my below comment

Source IP also any 

Source Zone :- Internet

Source IP address:-  any

Destination Zone :- Lan

Destination IP address:- Any

Custom URL Categary :- *.xyz.com

Port :389 and 8759

Action : Allow