FQDN objects or URL Categories

cancel
Showing results for 
Search instead for 
Did you mean: 

FQDN objects or URL Categories

L0 Member

It seems like FQDN objects and URL categories have overlapping functionality.  Can anyone provide some guidance on which is less resource intensive for something like the below please?

 

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

FQDN objects and URL filtering categories are very different, depending on how you approach their usage

 

An FQDN object is a hostname that you instruct your firewall to resolve via DNS and then apply an action to the IP address associated with the A record of the hostname. This could be very useful for dynamic hosts

 

URL filtering will look at the http GET (or SNI/certificate) and apply an action based on the http request (layer 7 instead of layer 3)

 

The fqdn object will be least resource intensive as it populates a straight forward security policy with IP addresses and allows/denies, it will also be the least accurate as the webserver hosting websiteA.com may also be hosting websiteB.com and websiteC.com, which you would then also block/allow

 

Tom Piens
PANgurus - (co)managed services and consultancy

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

FQDN objects and URL filtering categories are very different, depending on how you approach their usage

 

An FQDN object is a hostname that you instruct your firewall to resolve via DNS and then apply an action to the IP address associated with the A record of the hostname. This could be very useful for dynamic hosts

 

URL filtering will look at the http GET (or SNI/certificate) and apply an action based on the http request (layer 7 instead of layer 3)

 

The fqdn object will be least resource intensive as it populates a straight forward security policy with IP addresses and allows/denies, it will also be the least accurate as the webserver hosting websiteA.com may also be hosting websiteB.com and websiteC.com, which you would then also block/allow

 

Tom Piens
PANgurus - (co)managed services and consultancy

Plus, (correct me if I'm wrong) the FQDN Object is only resolved once when the rules are committed.  If the IP changes after the rules are committed, the rule won't match anymore.  This becomes an issue for dynamic hosts that change IPs a lot, for firewalls that don't reload the rules that often.

 

There may be a periodic task that runs to update the FQDN Objects (there's an FQDN Refresh task that shows now and again).  But it will still leave gaps where the IP in the rule doesn't match the current IP of the host.

@fjwcash The FQDN object is updated at each "FqdnRefresh" task, so committing is not needed.

 

However, each object is limited to 10 IP addresses so it's not all that helpful if you have a domain with lots of IPs.

The limit is 32 IP's per FQDN as of PAN-OS 7.1

 

PAN-59614 (98576) In PAN-OS 7.1 and later releases, the maximum number of address objects you can resolve for an FQDN is increased from 10 of each address type (IPv4 and IPv6) to a maximum of 32 each. However, the combination of IPv4 and IPv6 addresses cannot exceed 512B; if it does, addresses that are not included in the first 512B are dropped and not resolved.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!