Wildcards in address objects

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Wildcards in address objects

L2 Linker

Instead of creating several address objects for the many MS update servers available, and then creating a group to plug into a security policy that allows my WSUS server to get updates, is there a way to use wildcards in the address objects?  MS updates lists multiple locations available for updates:

This list could be condensed down to perhaps four address objects:

  1. *.windowsupdate.microsoft.com
  2. *.update.microsoft.com
  3. *.download.windowsupdate.com
  4. *.windowsupdate.com

which could be put into a address group and use the group in the security policy destination.  Then I only have to move objects into and out of the group as MS changes and I don't have to worry about changing a rule.  If they add or remove servers within the wildcard domains, then I don't need to make any changes.

Thanks,

Bart

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Bart,

I assume following is what you are trying to do:-

When you log into the WEB UI:-

Objects----> Addresses --->Click Add

You would like to add the FQDN as a wildcard address.

Name:- testobject

Type: FQDN     *.windowsupdate.microsoft.com 

SEE ATTACHMENT :- wildcard.PNG

The above FQDN syntax is not valid and cannot be used.

If this is what you are trying to do, Wildcards in address objects cannot be used (at this time).

You would have to create multiple addresses and encapsulate them in a group and bind it to the policy.

Regards,

Parth

View solution in original post

8 REPLIES 8

L4 Transporter

Hi Bart,

I assume following is what you are trying to do:-

When you log into the WEB UI:-

Objects----> Addresses --->Click Add

You would like to add the FQDN as a wildcard address.

Name:- testobject

Type: FQDN     *.windowsupdate.microsoft.com 

SEE ATTACHMENT :- wildcard.PNG

The above FQDN syntax is not valid and cannot be used.

If this is what you are trying to do, Wildcards in address objects cannot be used (at this time).

You would have to create multiple addresses and encapsulate them in a group and bind it to the policy.

Regards,

Parth

Yes, I had tried that already and discovered I couldn't do it.  I'm wondering if there is any other way to accomplish this.

Hi Bart,


You can use those wildcards in the URL filtering profile and can have in the Explicit allow/block list.The URL filtering Profile can then be applied to the policy.

Go to OBJECTS-->URL Filtering Profile
List teh following URLS in the Allow list:-
*.windowsupdate.microsoft.com

*.update.microsoft.com

*.download.windowsupdate.com

*.windowsupdate.com

Please see the attcment :- url-filtering.PNG

This way you can use the Wildcards BUT to only ALLOW AND DENY. 
Let me know if that helps.

Regards,Parth

Thanks,

I had looked at that before writing the post and was wondering if that wouldn't work. I'll give it a try.

A custom url-filtering along with only allow appid:ms-update (and set service:default-application) should do it.

A sidenote is that SSL decryption doesnt work for ms update traffic (since they use their own built in certs and doesnt allow any other, at least if you use WSUS or such) so Im not sure how widely open the above rule might be in reality.

Im not sure how you can in a good way limit it down further. Perhaps adding dstip:65.55.27.0/24 but these ip's I guess might differ from time to time along with being different depending on when and from where you query the DNS.

Edit: Seems it was true regarding various ip's for windowsupdate... so make that dstip:65.55.0.0/16 :smileysilly:

I used a Custom URL Category along with ms-update application filtering but it was not enough to just list the wildcard versions of the FQDN's, I also had to list the FQDN without the *.

ie. This is what worked for me with PANOS 4.1.10

windowsupdate.microsoft.com

*.windowsupdate.microsoft.com

update.microsoft.com

*.update.microsoft.com

download.windowsupdate.com

*.download.windowsupdate.com

windowsupdate.com

*.windowsupdate.com

Yes, this works, but only for HTTP. How to make this work for FTP?

If you want to limit which FTP sites should be possible to visit you need to use FQDN or setup a dynamic address object which you then "feed" by a script running on some server (to inform the PA device which ip addresses this current adress object/group should point at).

  • 1 accepted solution
  • 14809 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!