O365 URL rewrite

ckemp · ‎11-15-2018

I'm using minemeld to pull the O365 urls into my PAN. I get a list that has entries like
*.domain.com
sub.domain1.com

I need to import those entries and rewrite them so they look like
*.domain.com/
domain.com/
*.sub.domain1.com/
sub.domain1.com/

Any pointers would be appreciated.

lmori · ‎01-16-2019

Hi @ckemp,

are you adding ?v=panosurl at the end of your feed URL?

The link in the EDL config should have the form:

https://<minemeld>/feeds/<feedname>?v=panosurl

View solution in original post

lmori · ‎11-20-2018

Hi @ckemp,

could you tell us more about this rewrite? Why is that needed?

ckemp · ‎11-20-2018

We use an External Dynamic List from minemeld to ingest Office 365 URLs and IPs into PAN. Microsoft presents the urls as *.skype.com. If I go to www.skype.com, I get access. If I go to skype.com, I am blocked. I understand the “*” is a token and PAN expects to find something there, such as “www”, not for to be empty or null. This is a problem. I’m not sure how to manage this other than parse the list again for every *.domain.com entry create a domain.com entry.

lmori · ‎11-20-2018

Hi @ckemp,

what version of PAN-OS are you running on? I think the matching behavior was changed to let *.skype.com match also skype.com at some point.

Thanks,

luigi

ckemp · ‎11-20-2018

I’m running 8.1.4.

eyunghans · ‎12-17-2018

I've confirmed this is the behavior on v8.1.5 as well, a specific entry for the root domain is required as a wildcare does not function.

@lmori what would be the best way to file this?

lmori · ‎12-19-2018

@eyunghans thanks for testing this. I am working on it. The plan is to enhance panosurl modifier to translate *.domain.com into domain.com and *.domain.com in the generated feed.

ckemp · ‎12-19-2018

Any ETA on when this would be available?

lmori · ‎12-20-2018

Just merged the PR to the develop branch on github:

https://github.com/PaloAltoNetworks/minemeld-core/pull/307

This will be in the next release. You can test it now if you use the Ansible playbook.

ckemp · ‎12-20-2018

We do not use Ansible playbook. Do you know when the next release will be available?

Sec101 · ‎12-20-2018

@lmori

Can you reply to this thread once this is updated, or do you suggest we monitor github?

ckemp · ‎12-20-2018

This thread. I do not monitor github.

ckemp · ‎01-10-2019

The rewrite rule is not working for top level domains, but it is for subdomains. I would expect to see

*.skype.com

skype.com

It is working for *.broadcast.skype.com.

lmori · ‎01-11-2019

Hi @ckemp,

just tested this and I can see the doubled entries for skype.com. I am about to release the binary packages for the updates. Which version are you running on?

ckemp · ‎01-11-2019

I am on 0.9.52.

ubuntu@minemeld:~$ sudo /usr/sbin/minemeld-auto-update
2019-01-11 13:06:45,572 INFO:0.9.11 Current status:
2019-01-11 13:06:45,572 INFO:0.9.11 minemeld-engine: current: 0.9.52 latest: 0.9.52
2019-01-11 13:06:45,573 INFO:0.9.11 minemeld-webui: current: 0.9.52 latest: 0.9.52
2019-01-11 13:06:45,573 INFO:0.9.11 minemeld-prototypes: current: 0.9.52 latest: 0.9.52
2019-01-11 13:06:45,739 DEBUG:0.9.11 curl output:
2019-01-11 13:06:45,773 DEBUG:0.9.11 curl output:
2019-01-11 13:06:45,773 DEBUG:0.9.11 gpgv: /usr/bin/gpgv --ignore-time-conflict --keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/minemeld.gpg /tmp/mmaupackagesgpgDWAPvd /tmp/mmaupackagesQUUdhl
2019-01-11 13:06:45,778 INFO:0.9.11 gpgv output: gpgv: Signature made Fri 07 Dec 2018 09:32:50 AM UTC using RSA key ID 7B630999
gpgv: Good signature from "Palo Alto Networks, MineMeld Team <minemeld@paloaltonetworks.com>"
gpgv: aka "[invalid image]"

2019-01-11 13:06:45,783 INFO:0.9.11 No package to deploy, exit
ubuntu@minemeld:~$

Unlock your full community experience!

O365 URL rewrite

O365 URL rewrite

Show your appreciation!