08-07-2018 02:22 AM
Hi,
i must set the firewall to connect to this webpage www.google.com/recaptcha/api/siteverify
I have a object -> adress groups -> own address group for some other adresses (like itunes.apple.com and so on. There I musst now inser this domain
But i Can set this as a FQDN like the others because "The value in this field is invalid."
So anyone an idea how to let the server connect to this domain?
Its for the Sophos Mobile Control service. https://community.sophos.com/kb/en-us/113217
08-07-2018 02:28 AM
Hi @clonesheep
FQDN objects for services from Google could be problematic anyway as the IP behind the FQDN could change fast and then the firewall does not allow the traffic until the FQDN object os refreshed.
In your case you could use a custom URL category to allow exactly this URL (this requires TLS decryption to work as the firewall only sees www.google.com without decrypting the traffic)
08-07-2018 02:28 AM
Hi @clonesheep
FQDN objects for services from Google could be problematic anyway as the IP behind the FQDN could change fast and then the firewall does not allow the traffic until the FQDN object os refreshed.
In your case you could use a custom URL category to allow exactly this URL (this requires TLS decryption to work as the firewall only sees www.google.com without decrypting the traffic)
08-07-2018 02:58 AM
Does the term "SSL decryption" mean more to you? (I try to avoid using the word SSL as this is TLS in the current versions)
What I meant you need the firewall to decrypt this HTTPS traffic (-->decryption policiy), because as I wrote the firewall does not see the actual http-get request without decryption.
08-07-2018 03:15 AM
ah decryption was no topic until today because we have a ssl proxy.
so is must configure a policies -> decryption -> decryption policy rule ..and what kind of options? SSL Forward Proxy?
08-07-2018 03:29 AM
Yes exactly. Because you already use another device for this already you want to make sure that really only this traffic here will be decrypted (server as source and maybe a second custom url category that contains "www.google.com")
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
