- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-20-2018 01:41 AM
How do yuo configure a correct FW rule to only allow downloads for a specific user from a specific URL, but the content is hosted on akamai networks ?
I configred a FW rule with the URL of the server as FQDN in the destination field and allowed downloads but since the content is hosted on akamai, the FW rule is ignored.
I don't want to give the user full download access to akamai networks...
How is it done on Palo Alto FW's ?
11-22-2018 12:11 PM
Create a custom url category containing the needed url.
Then use it in the url category section of the firewall rule.
Use destination IP any.
The firewall will then allow the TCP handshake to any IP address and then when the first packet with payload comes it will compare the requested url against the url in the custom url category. If it matches, the session will be allowed. If not, the session will be closed.
11-22-2018 12:11 PM
Create a custom url category containing the needed url.
Then use it in the url category section of the firewall rule.
Use destination IP any.
The firewall will then allow the TCP handshake to any IP address and then when the first packet with payload comes it will compare the requested url against the url in the custom url category. If it matches, the session will be allowed. If not, the session will be closed.
11-26-2018 05:37 AM
Thank you for the information.
I've created a FW rule keeping your tips in mind and it works like expected now.
04-01-2020 11:36 PM
I have the same question for the trend micro update services.
nslookup show me the akamai dns adress e16632.dscd.akamaiedge.net
Is this the right one for the security rule?
nslookup smex125-p.activeupdate.trendmicro.com
Nicht autorisierende Antwort:
Name: e16632.dscd.akamaiedge.net
Addresses: 2a02:26f0:fe00:1bb::40f8
2a02:26f0:fe00:1b6::40f8
2a02:26f0:fe00:180::40f8
2a02:26f0:fe00:1b7::40f8
2a02:26f0:fe00:1bf::40f8
95.100.198.74
Aliases: smex125-p.activeupdate.trendmicro.com
star-ds.activeupdate.trendmicro.com.edgekey.net
06-11-2021 01:25 AM
I think i am missing something as my rule will not match traffic. I have created a custom URL category - akamai - with *.deploy.static.akamaitechnologies.com in its 'sites' list.
I then create a rule specifying the IP of my test machine (in zone trust) as permitted to reach any destination IP in the untrust zone.
Applications is set to 'any'. Under 'Service/URL Category' i have 'any' service and URL category 'akamai'
04-05-2022 09:23 AM
It worked like a charm. thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!