08-23-2019 12:16 AM
Dear community
We are dealing with a request for a firewall rule which is supposed to allow SMB traffic (TCP 445) to a wildcard destination like *.subdomain.example.com out on the internet. So this made me think about how we should implement such a rule and I am not even sure it can be done or at least I don't know how. If this would be HTTP/HTTPS traffic we could create a customer URL category in order to be used in a rule with an allow action. But when the protocol isn't HTTP/HTTPS but something like SMB or SSH and so on, I don't think the URL category will be a factor. Also creating a FQDN object is not an option since it won'd allow wildcards.
Any other ideas or suggestions from your side? Many thanks and regards
Tibor
08-23-2019 11:20 AM
The Url categories are determined by http “Get” command so no chance... the only other time url cats will kick in is when perhaps something like smtp traffic is encrypted via tls. palo will then use certificate details to guess the category Just like undecrypted https traffic.
wildcards cannot be used in fqdn as palo turns your string into a regex kinda dns search... the search criteria is within square brackets and cannot include some special characters such as an asterisk.
Sorry wouldnot acept unencrypted but it has now...
08-23-2019 02:25 AM
if using internal DNS with an external forwarder it would be possible to log all requests/responses for *.subdomain.example.com and forward these via API to a dynamic address group on the PA.
not for me.... but it is an option...
08-23-2019 04:33 AM
Thank you very much. This is a interesting option I would never have considered. Your input is very much appreciated.
Any other suggestions? Or can someone confirm my feeling that URL categories will not have any impact at all?
08-23-2019 11:20 AM
The Url categories are determined by http “Get” command so no chance... the only other time url cats will kick in is when perhaps something like smtp traffic is encrypted via tls. palo will then use certificate details to guess the category Just like undecrypted https traffic.
wildcards cannot be used in fqdn as palo turns your string into a regex kinda dns search... the search criteria is within square brackets and cannot include some special characters such as an asterisk.
Sorry wouldnot acept unencrypted but it has now...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
