Will FQDN names work when the name resolves to a content delivery service?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Will FQDN names work when the name resolves to a content delivery service?

L1 Bithead

For example:

H:\>dig www.microsoft.com

; <<>> DiG 9.2.3 <<>> www.microsoft.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;www.microsoft.com.             IN      A

;; ANSWER SECTION:

www.microsoft.com.      1937    IN      CNAME   toggle.www.ms.akadns.net.

toggle.www.ms.akadns.net. 20    IN      CNAME   g.www.ms.akadns.net.

g.www.ms.akadns.net.    20      IN      CNAME   lb1.www.ms.akadns.net.

lb1.www.ms.akadns.net.  265     IN      A       65.55.57.27

If you were allowing access to www.microsoft.com, wouldn't everything that these akands.net devices being allowed?

5 REPLIES 5

L6 Presenter

I dont know how roundrobin dns names are handled in the PA.

But regarding address objects containing FQDN instead of IP the FQDN is resolved during commit and then there is a script that every 20 (or if it was 30) minutes will recommit the FQDN portions to keep them up2date (because in the fabric only ip addresses are being handled).

In you case (if possible) you could add an url filter aswell if you only want to allow requests towards www.microsoft.com.

Well, my problem is that we are using authenticated access... Certain users groups have rights to access more URL groups than others...

How would I create a URL filter to allow un-authenticated access to www.microsoft.com while continuing to require authenticated access for the other type of URL groups?

Any help on this would be greatly appreciated!!

Well you can use a security Policy before all others

with a Custom URL Category as match Object and allow traffic through this Rule (supported since 4.1.x)

Like this:

Kind regards

Marco

That would be great if we were running 4.1... We're still on 4.0.12 at this point... With 17 firewalls and Panorama, upgrading is somewhat painful..

Panorama should make that easy. Smiley Wink

  • 2529 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!