Wildcard domain + destination question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wildcard domain + destination question

L4 Transporter

Hi..I want to be able to allow a specific set of apps to *.github.com.  To do this would I simply specify a custom URL with *.github.com and destination of ANY?  That would then only allow those apps to *.github.com?  I ask just because I am wary of having the destination as ANY and not clear on which takes precedence.  

 

Currently I have it locked down to destination IPs and FQDN of github.com but that doesn't always work because IPs change and some of the valid traffic gets denied.  

 

Annotation 2020-01-21 093816.png

3 REPLIES 3

L7 Applicator

Hi @drewdown 

Specifying the destination IP addresses as any will work perfectly fine. The downside of this way is that the tcp handshake really is allowed to any IP. As soon as the firewall then sees the URL (in http get or tls client hello/server hello) then it will match this rule finally and the traffic is allowed if it matches *.github.com. If you would like to have it a little more restricted I recommend to configure all github IPs as destination. You can find the IP addresses here: https://api.github.com/meta

(If you are using minemeld you can have minemeld dynamically import the IPs regularly or of couse you could also script this workflow and regularly check if you still have all the required IPs configure)

With dest as any is there a downside to it?   Meaning if it is set to ANY is it going to match and allow before it sees github or an IP related to github?  

 

No interest in manually entering all of those and I want to lock this down.  I do use minemeld for o356 URLs but its been awhile since I did anything with it.   Got a link to how I can configure it to pull github IPs?  

 

Edit I changed the dest to ANY and its still denying SSH to 'lb-140-82-114-3.iad.github.com' eventhough I have that policy to allow *.github.com.  Honestly now that I look at it I don't know whats going on because before I made any changes it appears it was allowed sometimes and not others to same URL/IP over ssh.  Anything before 7:11 was locked down to destination, the 7:11 attempt was just using the URL category with destination as ANY.  

 

Annotation 2020-01-21 101441.png

 

Also it seems I went over this before and URL Category ONLY works http/SSL traffic and not SSH so I have to either allow github to ANY, configure all those IPs or use minemeld.  For all the cool features PAN has somethings leave a lot to be desired.  

Using only an URL category can potentially allow some packets too much - at least the tcp handshake. Another downside is that a connection could go to ANY IP as long as there is something that matches the URL category in the http get request. And yes, URL catehories only work for http/https connections - not ssh.

So to lock it down and to also allow ssh to only github and not to any the best way is to use minemeld. There should be a json miner that you can use to pull the github IPs.

  • 2570 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!