FQDN security in policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FQDN security in policy

L0 Member

Hi All, I am quite new to palo alto. can anyone explain me what happened if we configured object as a FQDN, IP and URL..I have created one security policy where I have implemented destination as a FQDN (nslookup results into 1 IP address) but user is reporting that it's not working..For that, FQDN default TTL is 5 mins, refresh time is 6 hours..
and How can we defined whether need to configured address as FQDN or URL, how TTL value play the role in that ???

 

Puja
1 REPLY 1

L5 Sessionator

How have you implemented the firewall rules? And have you searched the traffic logs to see if the user is getting blocked/filtered through a different firewall rule than expected?

 

FQDNs and IPs are essentially the same and match on the source or destination IP address in the Security Policy, with the exception that FQDN objects will automatically update if the IP address changes. However, it is important to remember that you client may not have the same root DNS source and therefore might not be going to the same IP for a given FQDN and the PaloAlto resolves. Also, some sites use fast-flux DNS, where the IP is constantly changing and only some IPs are returned at any given time from a large set of possible IPs, so it is basically impossible to keep the PA and client DNS responses consistent.

 

A URL object matches in HTTP/HTTPS/etc. protocol traffic, but is never resolved to an IP. A security policy with a URL object is looking at the HTTP headers to extract the target URL (which may exist across multiple IPs or multiple unrelated URLs may reside on the same server IP). If you are using URL objects be sure to terminate them correctly as the wildcard matching may not always work as expected.

 

A simple URL object Security Policy can also be tricky to implement because many websites may appear to be at a simple URL, but the page actually includes lots of resources from many other URLs and domains. You may also need to be running SSL decryption to get full use out of URL objects (to be able to see all the URLs in the session).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!