- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-08-2025 06:10 AM
I need to write a rule that looks like this
Source zone: Internal
Destination zone: External
Source address: 10.38.105.201
Destination address: This is where it is tricky, I need the destination addresses to be *.myqlink.biz *.med.myqlink.net *.internapcdn.net but am aware you cannot use wildcards for FQDN objects, and needs to be done via the custom URL category/URL profile. So would this be “any”?
Application: any
Destination port: tcp-1433
Action: allow
My question to you I guess is as this is an allow rule is it safe to put “any” in the destination address field? Wouldn’t that allow 10.38.105.201 to any destination external? I just want to allow that source to those three wildcards via tcp-1433 and that is it.
As well as you create the custom URL category, add those 3 wildcards and maybe a few more for their subdomains, hit ok. Move to URL filtering security profile create one and go to the custom URL category in the security profile and hit alert to have it log to panorama. Then destination “any” in the ACLs destination address field? < of course adding the new URL profile I had just created on the rule? Or is that completely wrong?
I just don’t want to allow that 10. IP to anything and everything external, and we just don’t know what the beginning of the domains will be.
Here are the documents from the vendor, I’ve also uploaded those photos to the discussion
Ports: https://imgur.com/a/MVH2lG0
URLs: https://imgur.com/a/rxnow-cabinet-requirements-tHx2lua
08-18-2025 02:47 AM
this will allow the client to set up 'initial' sessions towards basically anywhere as long as it's using port 1433, but the category lookup mechanism will determine pretty quickly if this session matched the right category or not
if it doesn,t, the rule will release the session and a new security rule lookup will happen. if the session no longer matches any rules that allow it, it will be dropped
so while yes, you'll allow tcp handshakes to basically the entire internet, url category lookup should catch up quick before any 'rogue' applications can connect
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!