how to whitelist Akamai downloads ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

how to whitelist Akamai downloads ?

L2 Linker

How do yuo configure a correct FW rule to only allow downloads for a specific user from a specific URL, but the content is hosted on akamai networks ?

 

I configred a FW rule with the URL of the server as FQDN in the destination field and allowed downloads but since the content is hosted on akamai, the FW rule is ignored.

I don't want to give the user full download access to akamai networks...

 

How is it done on Palo Alto FW's ?

1 accepted solution

Accepted Solutions

L4 Transporter

Create a custom url category containing the needed url.

Then use it in the url category section of the firewall rule.

Use destination IP any.

The firewall will then allow the TCP handshake to any IP address and then when the first packet with payload comes it will compare the requested url against the url in the custom url category. If it matches, the session will be allowed. If not, the session will be closed.

View solution in original post

5 REPLIES 5

L4 Transporter

Create a custom url category containing the needed url.

Then use it in the url category section of the firewall rule.

Use destination IP any.

The firewall will then allow the TCP handshake to any IP address and then when the first packet with payload comes it will compare the requested url against the url in the custom url category. If it matches, the session will be allowed. If not, the session will be closed.

Thank you for the information.

I've created a FW rule keeping your tips in mind and it works like expected now.

L2 Linker

I have the same question for the trend micro update services.

 

nslookup show me the akamai dns adress e16632.dscd.akamaiedge.net

Is this the right one for the security rule?

 

nslookup smex125-p.activeupdate.trendmicro.com

Nicht autorisierende Antwort:
Name: e16632.dscd.akamaiedge.net
Addresses: 2a02:26f0:fe00:1bb::40f8
2a02:26f0:fe00:1b6::40f8
2a02:26f0:fe00:180::40f8
2a02:26f0:fe00:1b7::40f8
2a02:26f0:fe00:1bf::40f8
95.100.198.74
Aliases: smex125-p.activeupdate.trendmicro.com
star-ds.activeupdate.trendmicro.com.edgekey.net

I think i am missing something as my rule will not match traffic. I have created a custom URL category - akamai - with *.deploy.static.akamaitechnologies.com in its 'sites' list.

I then create a rule specifying the IP of my test machine (in zone trust) as permitted to reach any destination IP in the untrust zone. 

Applications is set to 'any'. Under 'Service/URL Category' i have 'any' service and URL category 'akamai'

 

It worked like a charm. thanks

Simplicity is the friend of Security, whilst complexity is the Enemy. (Bruce Schneier) PCNSE,CCSA, SEC-Plus, CCNA Security
  • 1 accepted solution
  • 11036 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!