O365 URL rewrite

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

O365 URL rewrite

L2 Linker

I'm using minemeld to pull the O365 urls into my PAN. I get a list that has entries like
*.domain.com
sub.domain1.com

 

I need to import those entries and rewrite them so they look like
*.domain.com/
domain.com/
*.sub.domain1.com/
sub.domain1.com/

 

Any pointers would be appreciated.

1 accepted solution

Accepted Solutions

Hi @ckemp,

are you adding ?v=panosurl at the end of your feed URL?

The link in the EDL config should have the form:

https://<minemeld>/feeds/<feedname>?v=panosurl

View solution in original post

25 REPLIES 25

L7 Applicator

Hi @ckemp,

could you tell us more about this rewrite? Why is that needed?

We use an External Dynamic List from minemeld to ingest Office 365 URLs and IPs into PAN. Microsoft presents the urls as *.skype.com. If I go to www.skype.com, I get access. If I go to skype.com, I am blocked. I understand the “*” is a token and PAN expects to find something there, such as “www”, not for to be empty or null. This is a problem. I’m not sure how to manage this other than parse the list again for every *.domain.com entry create a domain.com entry.

Hi @ckemp,

what version of PAN-OS are you running on? I think the matching behavior was changed to let *.skype.com match also skype.com at some point. 

 

Thanks,

luigi

I’m running 8.1.4.

I've confirmed this is the behavior on v8.1.5 as well, a specific entry for the root domain is required as a wildcare does not function.

 

@lmori what would be the best way to file this?

 

@eyunghans thanks for testing this. I am working on it. The plan is to enhance panosurl modifier to translate *.domain.com into domain.com and *.domain.com in the generated feed.

Any ETA on when this would be available? 

Just merged the PR to the develop branch on github:

https://github.com/PaloAltoNetworks/minemeld-core/pull/307

 

This will be in the next release. You can test it now if you use the Ansible playbook.

We do not use Ansible playbook. Do you know when the next release will be available?

@lmori

 

Can you reply to this thread once this is updated, or do you suggest we monitor github?  

This thread. I do not monitor github.

The rewrite rule is not working for top level domains, but it is for subdomains. I would expect to see 

*.skype.com

skype.com

It is working for *.broadcast.skype.com.

 

image.png

Hi @ckemp,

just tested this and I can see the doubled entries for skype.com. I am about to release the binary packages for the updates. Which version are you running on?

2019-01-11_11-12-45.png

I am on 0.9.52.

 

ubuntu@minemeld:~$ sudo /usr/sbin/minemeld-auto-update
2019-01-11 13:06:45,572 INFO:0.9.11 Current status:
2019-01-11 13:06:45,572 INFO:0.9.11 minemeld-engine: current: 0.9.52 latest: 0.9.52
2019-01-11 13:06:45,573 INFO:0.9.11 minemeld-webui: current: 0.9.52 latest: 0.9.52
2019-01-11 13:06:45,573 INFO:0.9.11 minemeld-prototypes: current: 0.9.52 latest: 0.9.52
2019-01-11 13:06:45,739 DEBUG:0.9.11 curl output:
2019-01-11 13:06:45,773 DEBUG:0.9.11 curl output:
2019-01-11 13:06:45,773 DEBUG:0.9.11 gpgv: /usr/bin/gpgv --ignore-time-conflict --keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/minemeld.gpg /tmp/mmaupackagesgpgDWAPvd /tmp/mmaupackagesQUUdhl
2019-01-11 13:06:45,778 INFO:0.9.11 gpgv output: gpgv: Signature made Fri 07 Dec 2018 09:32:50 AM UTC using RSA key ID 7B630999
gpgv: Good signature from "Palo Alto Networks, MineMeld Team <minemeld@paloaltonetworks.com>"
gpgv: aka "[invalid image]"

2019-01-11 13:06:45,783 INFO:0.9.11 No package to deploy, exit
ubuntu@minemeld:~$

  • 1 accepted solution
  • 13165 Views
  • 25 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!