- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-10-2025 07:36 AM
Once a week, someone reports having issues accessing a site. Today that issue involves a credit card processing page that is aging-out because there is no SSL inspection exception. FW Logs of course show an IP address (no URL/FQDN), and the rule to allow access or exclude from ssl inspection requires using an FQDN.
The page URL in address bar has been allowed and browser/dev tools/console/sources does not indicate any other place where the browser is trying to go. I also look at OpenDNS reports to see what DNS queries the user made around the same time. There can be 100 sites within a few seconds, so I end up doing an NSLOOKUP on each of the FQDNs in the OpenDNS report to see if the IP matches the blocked traffic in the FW. Once I match the FQDN to the IP, I know that is the FQDN that needs to be unblocked in the FW.
This is a very tedious process, and after spending an hour on this today, I am not able to find the right FQDN to match the IP's that are being blocked.
Does anyone have a tool or better way to locate FQDNs for blocked IP's? If life were easy, OpenDNS (OR PALO) would record both the FQDN and the translated IP when DNS is queried so I would not have to search for it, but alas, that doesn't seem to be a thing for any vendor, so I keep having to do these treasure hunts on a regular basis.
Any suggestions/tricks/tips would be greatly appreciated.
01-13-2025 06:31 PM
Hello @ppeeters ,
DNS Security may help, if your FQDN is somehow a possible risk domain.
Maybe you can enable the logging (once your firewall is fixed for CVE-20243393) and monitor the threat logs for input.
Otherwise, you can let a capture running on DNS traffic from a computer and check directly in the capture when needed.
Similar to that, you can set up a DNS proxy on the firewall, so you can check on the DNS proxy cache on the firewall.
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!