Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1482
Views
0
Helpful
2
Replies

Firewall rules for dns objects - what is the fix

carl_townshend
Spotlight
Spotlight

‎11-05-2019 01:01 AM

Hi All

We use a cloud based url filtering product but we seem to run into issues with some servers that bypass this and need to go to the internet direct.

the issue with this is when we allow IP based rules, they seem to constantly change and so we need to amend the rule again.

What would be the best fix for this?

some firewalls use dns based objects such as Checkpoint, but they affect firewall performance.

what are the options?

would you need to run a local on prem proxy to fix this?

cheers

Labels:
0 Helpful
2 Replies 2

rdz586
Level 1
Level 1

‎11-05-2019 04:39 AM

Hi Carl,

 

I have used FQDN's on Cisco ASA / FortiGate firewalls previously and have had no issues with performance issues, although it will depend on firewall model and how many rules you plan to use FQDN's for.

 

I would normally use IP addresses if you can and only use FQDN's when the IP address is likely to change frequently, which are usually IP addresses in public cloud environments from experience.

0 Helpful

Rob Ingram
VIP
VIP
In response to rdz586

‎11-05-2019 05:42 AM

Hi,

Yes, using DNS in ACL is supported on ASA, Cisco guide here. If you are using FTD you could use URL Filtering instead of DNS to resolve the hostname.


HTH

0 Helpful
Customers Also Viewed These Support Documents