Wildcard URL for Non-HTTP/HTTPS traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Wildcard URL for Non-HTTP/HTTPS traffic

L0 Member

 

Hi, this question may have been answered before, but I can’t find it anywhere on the LIVEcommunity. We need to allow traffic for the mssql-db app for a specific wildcard URL (*.example.com). It needs to be a wildcard because the alternative is to allow all Azure IP Ranges, which we cannot do. We tried using URL Categories, but it seems to only works for HTTP/HTTPS traffic. Does anyone have any ideas if this is possible?


Thank you.



PA-5280 v10.2.8-h3

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@R8787H,

That isn't going to work. The firewall isn't able to get any information that would tie the SQL traffic to a URL since that isn't really how SQL functions. You are essentially being asked to allow SQL traffic to a wildcard FQDN which PAN can't do while other vendors (IE: Fortigate) can.

 

You can work around this in a convoluted way by using the API and scrubbing the DNS logs on your servers (assuming that they're private) to make it "functional". Alternatively if you don't control the DNS servers you may be able to pull resolved domains through your EDR solution as well.

You would essentially scrub the logs using your own wildcard search. Any domain that matches is one that you need to allow access to, so you could utilize an EDL and feed the identified domains into the EDL to make things "functional". This isn't a great solution since there's going to be a delay between identifying a new required domain and authorizing access on the firewall, but it works well enough if whoever/whatever your connecting to absolutely can't give you actual requirements.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@R8787H,

That isn't going to work. The firewall isn't able to get any information that would tie the SQL traffic to a URL since that isn't really how SQL functions. You are essentially being asked to allow SQL traffic to a wildcard FQDN which PAN can't do while other vendors (IE: Fortigate) can.

 

You can work around this in a convoluted way by using the API and scrubbing the DNS logs on your servers (assuming that they're private) to make it "functional". Alternatively if you don't control the DNS servers you may be able to pull resolved domains through your EDR solution as well.

You would essentially scrub the logs using your own wildcard search. Any domain that matches is one that you need to allow access to, so you could utilize an EDL and feed the identified domains into the EDL to make things "functional". This isn't a great solution since there's going to be a delay between identifying a new required domain and authorizing access on the firewall, but it works well enough if whoever/whatever your connecting to absolutely can't give you actual requirements.

Thanks for the reply @BPry ! As you mentioned, and as confirmed by our test, using a URL for SQL traffic does not work. Fortunately, there was an IPv4 EDL from the PA EDL Hosting Service that met our needs so we ended up using that.


Thank you !

  • 1 accepted solution
  • 716 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!