08-31-2017 08:52 AM
It seems like FQDN objects and URL categories have overlapping functionality. Can anyone provide some guidance on which is less resource intensive for something like the below please?
09-01-2017 02:00 AM
FQDN objects and URL filtering categories are very different, depending on how you approach their usage
An FQDN object is a hostname that you instruct your firewall to resolve via DNS and then apply an action to the IP address associated with the A record of the hostname. This could be very useful for dynamic hosts
URL filtering will look at the http GET (or SNI/certificate) and apply an action based on the http request (layer 7 instead of layer 3)
The fqdn object will be least resource intensive as it populates a straight forward security policy with IP addresses and allows/denies, it will also be the least accurate as the webserver hosting websiteA.com may also be hosting websiteB.com and websiteC.com, which you would then also block/allow
09-01-2017 02:00 AM
FQDN objects and URL filtering categories are very different, depending on how you approach their usage
An FQDN object is a hostname that you instruct your firewall to resolve via DNS and then apply an action to the IP address associated with the A record of the hostname. This could be very useful for dynamic hosts
URL filtering will look at the http GET (or SNI/certificate) and apply an action based on the http request (layer 7 instead of layer 3)
The fqdn object will be least resource intensive as it populates a straight forward security policy with IP addresses and allows/denies, it will also be the least accurate as the webserver hosting websiteA.com may also be hosting websiteB.com and websiteC.com, which you would then also block/allow
09-05-2017 01:00 PM
Plus, (correct me if I'm wrong) the FQDN Object is only resolved once when the rules are committed. If the IP changes after the rules are committed, the rule won't match anymore. This becomes an issue for dynamic hosts that change IPs a lot, for firewalls that don't reload the rules that often.
There may be a periodic task that runs to update the FQDN Objects (there's an FQDN Refresh task that shows now and again). But it will still leave gaps where the IP in the rule doesn't match the current IP of the host.
09-05-2017 01:35 PM
@fjwcash The FQDN object is updated at each "FqdnRefresh" task, so committing is not needed.
However, each object is limited to 10 IP addresses so it's not all that helpful if you have a domain with lots of IPs.
10-16-2017 07:41 PM
The limit is 32 IP's per FQDN as of PAN-OS 7.1
PAN-59614 (98576) In PAN-OS 7.1 and later releases, the maximum number of address objects you can resolve for an FQDN is increased from 10 of each address type (IPv4 and IPv6) to a maximum of 32 each. However, the combination of IPv4 and IPv6 addresses cannot exceed 512B; if it does, addresses that are not included in the first 512B are dropped and not resolved.
02-18-2023 11:39 AM
The FQDN refresh interval can now be reduced to even 1 second, starting from PANOS 9.0.
The range (in seconds) is now:
<0-14399>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
