PBF based on domain/URL/FQDN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PBF based on domain/URL/FQDN

L1 Bithead

After research in KnowledgePoint, I understand application is not recommended to be used in PBF as single session will always be forwarded  the same way. i.e. application shifts will not change the forwarding  behavior.

If we want to forward traffics from internal to specified url URL e.g. www.facebook.com to 2nd ISP, is it possible?

Any simple way to fulfill this requirement? Can anyone confirm follow idea will work?

1. Create FQDN address object and use it as Destination address in PBF.

Assumption: We collect ALL FQDNs when user access www.facebook.com
Example:
www.facebook.com
facebook.com
pixel.facebook.com
profile.ak.fbcdn.net
static.ak.fbcdn.net
a8.sphotos.ak.fbcdn.net
external.ak.fbcdn.net

Problem:

Too many FQDN objects for single site
The FQDN initially resolves at commit time. Entries are subsequently refreshed when the DNS time-to-live expires (or is close to expiring).
We cannot confirm if all IP addresses are recorded if DNS reply multiple IP for a FQDN

3 REPLIES 3

L6 Presenter

No, I think its becuase the session WILL change and this is bad later on.

An application can (as example) be first identified as unknown, and then web-browsing and then finally facebook.

If you PBF just facebook it means that the syn/synack/ack is unknown, the http request is web-browsing and when the server replies its identified as facebook. If facebook server suddently get a packet from a new ip (your ISP2) without a syn first it will (most likely) just drop the incoming traffic due to its own sessionhandling (whatever firewalls they use) - or it least its a common thing to do.

Which means you need to either use a forward-proxy which can split outgoing sessions depending on what the client requests or do this at L3 level by help of BGP magic.

Facebook uses their own AS (if im not mistaken), if you use BGP towards your two ISPs you can make sure that traffic towards facebook AS will use ISP2 as primary connection.

Another way is to do this at L4 level in the PA device, so outgoing TCP80 and TCP443 is always routed through ISP2 as primary way out.

You can also setup a combination so that your clients use a forward-proxy for normal traffic while traffic to *.facebook.com (clientside configuration in the browser) is not sent through the forward-proxy (but this just adds complexity and is just wrong 🙂

Maybe I clarify the background first. Here is the summary, assume we have two sites:

Site A - Able to access any web sites.

Site B - Not able to access some web sites (mainly facebook, twitter, youtube), the meaning of NOT able is the WHOLE country users cannot access these web sites thanks to Great Firewall of China.

Currently Site A is using Microsoft ISA as FW + Proxy. ISA is also using in SiteB as firewall.

Site B users will configure Site A ISA IP as Forward-Proxy server manually when they want to access blocked site.

--------------------------------------------------------------------------------------

We want to propose PAN to replace both ISA but we also have to take the problem of Great Firewall.

Actually the reason we want to check if PBF work in our case is PAN cannot work as forward-proxy server, we cannot replace ISA in Site A. However I just found the latest version of Check Point FW can do this.

So I think in this case, BGP magic simple doesn't work, right?

Is there any workaround?

Is it possible for site B to setup an encrypted tunnel towards site A?

Because then site B could force all its traffic (or whatever traffic you like) into this encrypted tunnel which will then pop out at site A in order to reach Internet.

I dont have the details of how the China Firewall works (just some random rumours) but sending your facebook request in cleartext sounds odd that its allowed through this "Firewall" (or just a matter of time before also that is being blocked).

  • 4424 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!