Solved: ASA Wildcard FQDN object acl

abhik.dey · ‎05-26-2017

Hello,

I have a requirement to allow a internal server (LAN segment 172.16.x.x) for fetching WSUS updates. Microsoft has provided a handful of URL's which even includes FQDN with wildcards. Can anyone help how to achieve this.

URLS

http://*.update.microsoft.com"

http://*.windowsupdate.com"

http://*.windowsupdate.microsoft.com"

http://crl.microsoft.com"

http://download.windowsupdate.com"

http://ntservicepack.microsoft.com"

http://test.stats.update.microsoft.com"

http://windowsupdate.microsoft.com"

https://*.update.microsoft.com

https://*.windowsupdate.microsoft.com

Marvin Rhoads · ‎05-26-2017

You're welcome.

That's correct - https inspection can be done by FirePOWER but it causes a very big performance degradation and requires some measures that most smaller shops don't have the wherewithal to undertake.

Let me know if you would like more explanation or, if your question has been answered, please mark it so.

View solution in original post

Marvin Rhoads · ‎05-26-2017

You cannot do this with an access-list and a network object of type FQDN. That is because

The FQDN must begin and end with a digit or letter. Only letters, digits, and hyphens are allowed as internal characters.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f2.html#pgfId-2058089

It would be technically possible to use http inspection with a regex (regular expression) but that solution is not recommended as it does not perform very well at scale or speed.

The best approach would be to use a proper web filtering appliance or tool - either the Cisco WSA or the URL Filtering feature of ASA FirePOWER services.

You could also do it using Cisco Umbrella (former OpenDNS product) if it is deployed in a way that it integrates with your AD. Servers could then be in a group that whitelisted those FQDNs while all other machines were blacklisted from them.

abhik.dey · ‎05-26-2017

Hi Marvin,

Thanks for the response. Even I was in similar thoughts as it does not support wildcard. Moreover it also says to have https service allowed. I don't think ASA can do inspection of HTTPS traffic.

Marvin Rhoads · ‎05-26-2017

You're welcome.

That's correct - https inspection can be done by FirePOWER but it causes a very big performance degradation and requires some measures that most smaller shops don't have the wherewithal to undertake.

Let me know if you would like more explanation or, if your question has been answered, please mark it so.

zekebashi · ‎02-21-2019

@Marvin Rhoads ... I am assuming you meant that the FQDN type would not work with wildcard only but would work with regular url; such as, www.cisco.com, correct?

Also, I am required to add a BYPASS acl to include about 450 urls that was provided to us by Microsoft. Is there any performance or utilization issues that might occur as a result of using this high number of urls?

Thanks in advance!!

Marvin Rhoads · ‎02-22-2019

@zekebashi wrote:

@Marvin Rhoads ... I am assuming you meant that the FQDN type would not work with wildcard only but would work with regular url; such as, www.cisco.com, correct?

Also, I am required to add a BYPASS acl to include about 450 urls that was provided to us by Microsoft. Is there any performance or utilization issues that might occur as a result of using this high number of urls?

#1 - correct.

#2 - on what platform?

zekebashi · ‎02-22-2019

On ASA5585....

Thanks in advance.

Marvin Rhoads · ‎02-22-2019

ASA 5585-X with Firepower service module? With URL filtering license?

If so, the URL filtering to allow the Microsoft list should work fine - that's what it's designed to do.

zekebashi · ‎02-22-2019

Unfortunately, not with FP service module nor URL filtering.

That's the reason why we are considering to create BYPASS list for all MS FQDNs and IP/Subnets. Out concern is the FQDN dns to IP resolution and what impact it might have on the CPU and Mem!