cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
304
Views
10
Helpful
5
Replies
Highlighted

FTD/FMC DNS Group objects?

Hi Guys,

 

We are migrating from SOPHOS UTM to FTD/FMC and i'm in my documentation stage.

 

SOPHOS has an object called a "DNS Group" object, this can be used anywhere in the firewall, essentially this object will query and store all IPs for the destination in the variable, and keep it updated, see below;

 

11-07-2019 11-28-11 AM.jpg

 

11-07-2019 9-43-25 AM.jpg

 

As you can see, the object "s3-ap-southeast-2.amazonaws.com" has picked up 106 IP Addresses, and i use this object in a firewall rule to allow traffic to this destination.....

 

Can this be done with FTD/FMC?

 

If so, great! how would i find out what IPs have been resolved?

 

If not.....what could i do as a work around, beside inputting 106 IP Addresses into a group...

 

 

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: FTD/FMC DNS Group objects?

The FQDN needs to be fully qualified. The FTD device doesn't know to append a local domain.

Note that FQDN objects can only be used in Access Control and prefilter rules. You must have setup DNS both as a DNS Server Group object in FMC as well as per device that will be using the objects (Devices > Platform Settings and then "Enable DNS name resolution by device").

5 REPLIES 5
Hall of Fame Master

Re: FTD/FMC DNS Group objects?

If it's used in an ACL, you can simply use the FQDN directly.

Re: FTD/FMC DNS Group objects?

So it will pickup all 106 IP Addresses?

Hall of Fame Master

Re: FTD/FMC DNS Group objects?

More or less - it will evaluate traffic as to whether it matches any of the addresses that resolve from that FQDN.

Re: FTD/FMC DNS Group objects?

Awesome, thanks Marvin, your a wealth of knowledge on this platform, it is truly appreciated!

One more quick one, for a FQDN object, do i have to put in the fully qualified name or just the host itself?

for example;

PRD-NPS01 instead of PRD-NPS01.domain.com...
Hall of Fame Master

Re: FTD/FMC DNS Group objects?

The FQDN needs to be fully qualified. The FTD device doesn't know to append a local domain.

Note that FQDN objects can only be used in Access Control and prefilter rules. You must have setup DNS both as a DNS Server Group object in FMC as well as per device that will be using the objects (Devices > Platform Settings and then "Enable DNS name resolution by device").