Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2279
Views
10
Helpful
5
Replies

FTD/FMC DNS Group objects?

Go to solution
Warren Sullivan - Corp
Level 1
Level 1

‎07-10-2019 04:46 PM - edited ‎02-21-2020 09:17 AM

Hi Guys,

 

We are migrating from SOPHOS UTM to FTD/FMC and i'm in my documentation stage.

 

SOPHOS has an object called a "DNS Group" object, this can be used anywhere in the firewall, essentially this object will query and store all IPs for the destination in the variable, and keep it updated, see below;

 

11-07-2019 11-28-11 AM.jpg

 

11-07-2019 9-43-25 AM.jpg

 

As you can see, the object "s3-ap-southeast-2.amazonaws.com" has picked up 106 IP Addresses, and i use this object in a firewall rule to allow traffic to this destination.....

 

Can this be done with FTD/FMC?

 

If so, great! how would i find out what IPs have been resolved?

 

If not.....what could i do as a work around, beside inputting 106 IP Addresses into a group...

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Warren Sullivan - Corp

‎07-17-2019 07:46 PM

The FQDN needs to be fully qualified. The FTD device doesn't know to append a local domain.

Note that FQDN objects can only be used in Access Control and prefilter rules. You must have setup DNS both as a DNS Server Group object in FMC as well as per device that will be using the objects (Devices > Platform Settings and then "Enable DNS name resolution by device").

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-11-2019 05:35 AM

If it's used in an ACL, you can simply use the FQDN directly.

0 Helpful

Go to solution
Warren Sullivan - Corp
Level 1
Level 1
In response to Marvin Rhoads

‎07-11-2019 03:51 PM

So it will pickup all 106 IP Addresses?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Warren Sullivan - Corp

‎07-11-2019 09:57 PM

More or less - it will evaluate traffic as to whether it matches any of the addresses that resolve from that FQDN.

Go to solution
Warren Sullivan - Corp
Level 1
Level 1
In response to Marvin Rhoads

‎07-17-2019 04:52 PM

Awesome, thanks Marvin, your a wealth of knowledge on this platform, it is truly appreciated!

One more quick one, for a FQDN object, do i have to put in the fully qualified name or just the host itself?

for example;

PRD-NPS01 instead of PRD-NPS01.domain.com...
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Warren Sullivan - Corp

‎07-17-2019 07:46 PM

The FQDN needs to be fully qualified. The FTD device doesn't know to append a local domain.

Note that FQDN objects can only be used in Access Control and prefilter rules. You must have setup DNS both as a DNS Server Group object in FMC as well as per device that will be using the objects (Devices > Platform Settings and then "Enable DNS name resolution by device").

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card