Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
317
Views
5
Helpful
3
Replies

FQDN hosts used in Access Lists

Daniel Smith
Level 1
Level 1

‎04-26-2018 07:24 AM - edited ‎02-21-2020 07:40 AM

We have deployed the feature where an object is created, and the firewall checks DNS every minute for the IP of that public host. Example

!

object network www.sears.com

 fqdn www.sears.com

object-group network internet

 network-object object www.sears.com

!

access-list test1 permit tcp any object-group internet eq 80

!

This works well for a static site. However, if the target site does redirects to other sites for content, the process fails, as those redirected sites are not allowed outbound by the access-list.

 

I wonder if there is a feature or configuration on the firewall that would enable inspection of the connections for redirects, and then allow those connections?

 

 

 

Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎04-26-2018 08:49 AM

You might want to try http inspection using regex, that is if all the redirects are within the sears.com domain.  But if the redirects go to other domains then this is not a scaleable solution.  A better option would be to invest in a Web proxy such as WSA or FTD with URL filtering.

 

Another option would be to us Cisco Umbrella and integrate it with your AD.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Florin Barhala
Level 6
Level 6
In response to Marius Gunnerud

‎04-26-2018 12:07 PM

Nice answers - as usual. Is it possible to change DNS lookup process for FQDNs from 1 minute to 5' or 10' ?
0 Helpful

Marius Gunnerud
VIP
VIP
In response to Florin Barhala

‎04-26-2018 12:44 PM

If you mean the delay between lookups, you can do this with the following command

dns expire-entry-timer minutes 10

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card