09-04-2012 07:38 AM
; <<>> DiG 9.2.3 <<>> www.microsoft.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.microsoft.com. IN A
;; ANSWER SECTION:
www.microsoft.com. 1937 IN CNAME toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 20 IN CNAME g.www.ms.akadns.net.
g.www.ms.akadns.net. 20 IN CNAME lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net. 265 IN A 22.214.171.124
If you were allowing access to www.microsoft.com, wouldn't everything that these akands.net devices being allowed?
09-04-2012 09:38 AM
I dont know how roundrobin dns names are handled in the PA.
But regarding address objects containing FQDN instead of IP the FQDN is resolved during commit and then there is a script that every 20 (or if it was 30) minutes will recommit the FQDN portions to keep them up2date (because in the fabric only ip addresses are being handled).
In you case (if possible) you could add an url filter aswell if you only want to allow requests towards www.microsoft.com.
09-07-2012 08:34 AM
Well, my problem is that we are using authenticated access... Certain users groups have rights to access more URL groups than others...
How would I create a URL filter to allow un-authenticated access to www.microsoft.com while continuing to require authenticated access for the other type of URL groups?
Any help on this would be greatly appreciated!!
09-07-2012 08:46 AM
Well you can use a security Policy before all others
with a Custom URL Category as match Object and allow traffic through this Rule (supported since 4.1.x)
09-13-2012 09:44 AM
That would be great if we were running 4.1... We're still on 4.0.12 at this point... With 17 firewalls and Panorama, upgrading is somewhat painful..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!