how to whitelist Akamai downloads ?

Reply
Highlighted
L2 Linker

how to whitelist Akamai downloads ?

How do yuo configure a correct FW rule to only allow downloads for a specific user from a specific URL, but the content is hosted on akamai networks ?

 

I configred a FW rule with the URL of the server as FQDN in the destination field and allowed downloads but since the content is hosted on akamai, the FW rule is ignored.

I don't want to give the user full download access to akamai networks...

 

How is it done on Palo Alto FW's ?


Accepted Solutions
Highlighted
L4 Transporter

Create a custom url category containing the needed url.

Then use it in the url category section of the firewall rule.

Use destination IP any.

The firewall will then allow the TCP handshake to any IP address and then when the first packet with payload comes it will compare the requested url against the url in the custom url category. If it matches, the session will be allowed. If not, the session will be closed.

View solution in original post


All Replies
Highlighted
L4 Transporter

Create a custom url category containing the needed url.

Then use it in the url category section of the firewall rule.

Use destination IP any.

The firewall will then allow the TCP handshake to any IP address and then when the first packet with payload comes it will compare the requested url against the url in the custom url category. If it matches, the session will be allowed. If not, the session will be closed.

View solution in original post

Highlighted
L2 Linker

Thank you for the information.

I've created a FW rule keeping your tips in mind and it works like expected now.

Highlighted
L1 Bithead

I have the same question for the trend micro update services.

 

nslookup show me the akamai dns adress e16632.dscd.akamaiedge.net

Is this the right one for the security rule?

 

nslookup smex125-p.activeupdate.trendmicro.com

Nicht autorisierende Antwort:
Name: e16632.dscd.akamaiedge.net
Addresses: 2a02:26f0:fe00:1bb::40f8
2a02:26f0:fe00:1b6::40f8
2a02:26f0:fe00:180::40f8
2a02:26f0:fe00:1b7::40f8
2a02:26f0:fe00:1bf::40f8
95.100.198.74
Aliases: smex125-p.activeupdate.trendmicro.com
star-ds.activeupdate.trendmicro.com.edgekey.net

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!