Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-20-2024 02:37 PM - edited 06-20-2024 02:43 PM
Hi, this question may have been answered before, but I can’t find it anywhere on the LIVEcommunity. We need to allow traffic for the mssql-db app for a specific wildcard URL (*.example.com). It needs to be a wildcard because the alternative is to allow all Azure IP Ranges, which we cannot do. We tried using URL Categories, but it seems to only works for HTTP/HTTPS traffic. Does anyone have any ideas if this is possible?
Thank you.
PA-5280 v10.2.8-h3
06-22-2024 07:59 PM
That isn't going to work. The firewall isn't able to get any information that would tie the SQL traffic to a URL since that isn't really how SQL functions. You are essentially being asked to allow SQL traffic to a wildcard FQDN which PAN can't do while other vendors (IE: Fortigate) can.
You can work around this in a convoluted way by using the API and scrubbing the DNS logs on your servers (assuming that they're private) to make it "functional". Alternatively if you don't control the DNS servers you may be able to pull resolved domains through your EDR solution as well.
You would essentially scrub the logs using your own wildcard search. Any domain that matches is one that you need to allow access to, so you could utilize an EDL and feed the identified domains into the EDL to make things "functional". This isn't a great solution since there's going to be a delay between identifying a new required domain and authorizing access on the firewall, but it works well enough if whoever/whatever your connecting to absolutely can't give you actual requirements.
06-22-2024 07:59 PM
That isn't going to work. The firewall isn't able to get any information that would tie the SQL traffic to a URL since that isn't really how SQL functions. You are essentially being asked to allow SQL traffic to a wildcard FQDN which PAN can't do while other vendors (IE: Fortigate) can.
You can work around this in a convoluted way by using the API and scrubbing the DNS logs on your servers (assuming that they're private) to make it "functional". Alternatively if you don't control the DNS servers you may be able to pull resolved domains through your EDR solution as well.
You would essentially scrub the logs using your own wildcard search. Any domain that matches is one that you need to allow access to, so you could utilize an EDL and feed the identified domains into the EDL to make things "functional". This isn't a great solution since there's going to be a delay between identifying a new required domain and authorizing access on the firewall, but it works well enough if whoever/whatever your connecting to absolutely can't give you actual requirements.
07-03-2024 04:54 AM - edited 07-03-2024 12:20 PM
Thanks for the reply @BPry ! As you mentioned, and as confirmed by our test, using a URL for SQL traffic does not work. Fortunately, there was an IPv4 EDL from the PA EDL Hosting Service that met our needs so we ended up using that.
Thank you !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
