Security policy using wildcard destinations and NON http/https protocols

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security policy using wildcard destinations and NON http/https protocols

L1 Bithead

Dear community 

 

We are dealing with a request for a firewall rule which is supposed to allow SMB traffic (TCP 445) to a wildcard destination like *.subdomain.example.com out on the internet. So this made me think about how we should implement such a rule and I am not even sure it can be done or at least I don't know how. If this would be HTTP/HTTPS traffic we could create a customer URL category in order to be used in a rule with an allow action. But when the protocol isn't HTTP/HTTPS but something like SMB or SSH and so on, I don't think the URL category will be a factor. Also creating a FQDN object is not an option since it won'd allow wildcards. 

 

Any other ideas or suggestions from your side? Many thanks and regards

 

Tibor

1 accepted solution

Accepted Solutions

The Url categories are determined by http “Get” command so no chance...  the only other time url cats will kick in is when perhaps something like smtp traffic is encrypted via tls. palo will then use certificate details to guess the category Just like undecrypted https traffic.

 

wildcards cannot be used in fqdn as palo turns your string into a regex kinda dns search... the search criteria is within square brackets and cannot include some special characters such as an asterisk.

 

Sorry wouldnot acept unencrypted but it has now...

View solution in original post

3 REPLIES 3

L7 Applicator

if using internal DNS with an external forwarder it would be possible to log all requests/responses for *.subdomain.example.com and forward these via API to a dynamic address group on the PA. 

 

not for me.... but it is an option...

Thank you very much. This is a interesting option I would never have considered. Your input is very much appreciated. 

 

Any other suggestions? Or can someone confirm my feeling that URL categories will not have any impact at all?

The Url categories are determined by http “Get” command so no chance...  the only other time url cats will kick in is when perhaps something like smtp traffic is encrypted via tls. palo will then use certificate details to guess the category Just like undecrypted https traffic.

 

wildcards cannot be used in fqdn as palo turns your string into a regex kinda dns search... the search criteria is within square brackets and cannot include some special characters such as an asterisk.

 

Sorry wouldnot acept unencrypted but it has now...

  • 1 accepted solution
  • 6668 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!