This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Identifying FQDN object addresses in log files

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Identifying FQDN object addresses in log files

HITSSEC
L4 Transporter

‎03-13-2013 03:14 PM

We are using FQDN objects and network objects with a traditional IP address in rules to block traffic. How do you easily determine the associated object when all you see are IP addresses in the logs. When looking at the logs and resolving host names, the defined name appears for ip addressed objects but the dns reverse lookup value appears for the FQDN defined object not the FQDN defined name.   It is useful when you have comments in the decription field (used to provide background info as to why we are blocking the destination)  Any suggestions would be helpful.

Labels:
2 REPLIES 2

UhMayYeah
L5 Sessionator

‎03-14-2013 12:36 AM

Logs wont show up the Object name.

You can check the FQDN related deatils using CLI command:

> request system fqdn show

FQDN Table : Last Request time Thu Mar 14 00:34:58 2013

--------------------------------------------------------------------------------

                      IP Address     Remaining TTL     Secs Since Refreshed

--------------------------------------------------------------------------------

VSYS  : vsys1

www.google.com  (Objectname test😞

   2001:4860:4002:801:0:0:0:1013                49                       12

                  74.125.227.144                49                       12

                  74.125.227.145                49                       12

                  74.125.227.146                49                       12

                  74.125.227.147                49                       12

                  74.125.227.148                49                       12

VSYS  : shared

"Unfortunately we can only show traffic logs by IP addresses. Basically when we use FQDN in address objects, the PA device will resolve the IPs for those objects and will use that in the policy. Hence you will always see traffic logs showing IP address. However, you can perhaps configure rules with just one specific FQDN as the source or destination. Then you can to use rule name with FQDN name to be able to track in the traffic log." -rkim

ref:

-AMeya

HITSSEC
L4 Transporter
In response to UhMayYeah

‎03-14-2013 05:28 PM


Thanks for the feedback akawimandan.   If we created a second rule for fqdn objects  being blocked we would still have to the problem of identifying the defined host.  I did the fqdn show and so far I have 85 entries and growing.   After a bit of digging I might use a program called    FastResolver - Host Names/IP Addresses/MAC Address Scanner which can do the DNS resolutions and then easity sort the results by IP order for easy lookup.  Your feedback and attached post showed me that there is no easy fix so I had to dig deeper.

Thanks - Phil

0 Likes Likes
  • 3802 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks