Using MineMeld to build a list of IP addresses from a list of domains

Reply
L1 Bithead

Using MineMeld to build a list of IP addresses from a list of domains

Our current MineMeld instance is doing a great job of handling our Office 365 requests. Now I'd like to use it to solve a different problem, but I'm not sure how to go about it.

 

We need to allow outbound app-specific traffic to *.somedomain.com. I tried a URL category but that's not working, probably because this traffic isn't HTTPS or HTTP. I thought that, if I could get MineMeld to resolve that wildcard domain to a list of IP addresses (or ranges), then I could put that list in the firewall policy.

 

Is there a way to get MineMeld to resolve wildcard domains to IP addresses?

 

L5 Sessionator

Hi @efritz ,

 

depending on the amount of subdomains under subdomain.com you can consider using FQDN Objects or a cloud service that generates the list of IP's (the EDL source) out of a large set of FQDN's. Take a look at the serverless implementation of a FQDN Service Feed 

L1 Bithead

The problem with the FQDN object is that there are hundreds of subdomain entries, each corresponding to a virtual machine that is generated on the fly and has a hostname consisting of seemingly random characters.

 

The FQDN Service Feed link you provided will probably work but I was hoping for something simpler. This project is for a small group of users and one application. I'll keep that one in mind as a last resort.

L5 Sessionator

@efritz , I'd look for API's or logs available in the engine that is spinning up the VM's in order to get the IP addresses from there (instead of trying to get the IP addresses from the FQDN mapped to them). If these logs exists then it should be quite easy to code a script that uses PAN-OS Dynamic Address Group API with them.

L1 Bithead

Unfortunately I don't have access to that info. The VMs are spun up by an external company. Oh well.

I've adopted a cruder approach: I created a URL category using the wildcard domains. It gets used in a firewall policy. It's not perfect but it covers 80% of the problem.

 

Thanks, all, for your thoughts.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!