https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3888040#M940422 <P>Hi Guys,</P><P>&nbsp;</P><P>We are migrating from SOPHOS UTM to FTD/FMC and i'm in my documentation stage.</P><P>&nbsp;</P><P>SOPHOS has an object called a "DNS Group" object, this can be used anywhere in the firewall, essentially this object will query and store all IPs for the destination in the variable, and keep it updated, see below;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11-07-2019 11-28-11 AM.jpg" style="width: 363px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/40522i740B35C2C5F2C78E/image-size/large?v=v2&amp;px=999" role="button" title="11-07-2019 11-28-11 AM.jpg" alt="11-07-2019 11-28-11 AM.jpg" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11-07-2019 9-43-25 AM.jpg" style="width: 609px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/40520i7DD9A6AD326A8873/image-size/large?v=v2&amp;px=999" role="button" title="11-07-2019 9-43-25 AM.jpg" alt="11-07-2019 9-43-25 AM.jpg" /></span></P><P>&nbsp;</P><P>As you can see, the object "s3-ap-southeast-2.amazonaws.com" has picked up <U>106</U> IP Addresses, and i use this object in a firewall rule to allow traffic to this destination.....</P><P>&nbsp;</P><P>Can this be done with FTD/FMC?</P><P>&nbsp;</P><P>If so, great! how would i find out what IPs have been resolved?</P><P>&nbsp;</P><P>If not.....what could i do as a work around, beside inputting 106 IP Addresses into a group...</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 17:17:55 GMT Warren Sullivan - Corp 2020-02-21T17:17:55Z https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3888040#M940422 <P>Hi Guys,</P><P>&nbsp;</P><P>We are migrating from SOPHOS UTM to FTD/FMC and i'm in my documentation stage.</P><P>&nbsp;</P><P>SOPHOS has an object called a "DNS Group" object, this can be used anywhere in the firewall, essentially this object will query and store all IPs for the destination in the variable, and keep it updated, see below;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11-07-2019 11-28-11 AM.jpg" style="width: 363px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/40522i740B35C2C5F2C78E/image-size/large?v=v2&amp;px=999" role="button" title="11-07-2019 11-28-11 AM.jpg" alt="11-07-2019 11-28-11 AM.jpg" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11-07-2019 9-43-25 AM.jpg" style="width: 609px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/40520i7DD9A6AD326A8873/image-size/large?v=v2&amp;px=999" role="button" title="11-07-2019 9-43-25 AM.jpg" alt="11-07-2019 9-43-25 AM.jpg" /></span></P><P>&nbsp;</P><P>As you can see, the object "s3-ap-southeast-2.amazonaws.com" has picked up <U>106</U> IP Addresses, and i use this object in a firewall rule to allow traffic to this destination.....</P><P>&nbsp;</P><P>Can this be done with FTD/FMC?</P><P>&nbsp;</P><P>If so, great! how would i find out what IPs have been resolved?</P><P>&nbsp;</P><P>If not.....what could i do as a work around, beside inputting 106 IP Addresses into a group...</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 17:17:55 GMT https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3888040#M940422 Warren Sullivan - Corp 2020-02-21T17:17:55Z https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3888446#M940423 <P>If it's used in an ACL, you can simply use the FQDN directly.</P> Thu, 11 Jul 2019 12:35:52 GMT https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3888446#M940423 Marvin Rhoads 2019-07-11T12:35:52Z https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3888813#M940424 <P>So it will pickup all 106 IP Addresses?</P> Thu, 11 Jul 2019 22:51:26 GMT https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3888813#M940424 Warren Sullivan - Corp 2019-07-11T22:51:26Z https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3888907#M940425 <P>More or less - it will evaluate traffic as to whether it matches any of the addresses that resolve from that FQDN.</P> Fri, 12 Jul 2019 04:57:23 GMT https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3888907#M940425 Marvin Rhoads 2019-07-12T04:57:23Z https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3892321#M940426 Awesome, thanks Marvin, your a wealth of knowledge on this platform, it is truly appreciated!<BR /><BR />One more quick one, for a FQDN object, do i have to put in the fully qualified name or just the host itself?<BR /><BR />for example;<BR /><BR />PRD-NPS01 instead of PRD-NPS01.domain.com... Wed, 17 Jul 2019 23:52:47 GMT https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3892321#M940426 Warren Sullivan - Corp 2019-07-17T23:52:47Z https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3892372#M940427 <P>The FQDN needs to be fully qualified. The FTD device doesn't know to append a local domain.</P> <P>Note that FQDN objects can only be used in Access Control and prefilter rules. You must have setup DNS both as a DNS Server Group object in FMC as well as per device that will be using the objects (Devices &gt; Platform Settings and then "Enable DNS name resolution by device").</P> Thu, 18 Jul 2019 02:46:27 GMT https://community.cisco.com/t5/network-security/ftd-fmc-dns-group-objects/m-p/3892372#M940427 Marvin Rhoads 2019-07-18T02:46:27Z