Dynamic object-group update - ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2018 07:13 AM - edited 02-21-2020 07:44 AM
I am working on a project where an ACL will have a set of revolving IPs (not often, but from time to time a new node will be added/removed in a cluster that needs access into my network) and I have been provided with a URL to an XML document containing these IPs.
I can write a script that will allow me to check if the XML is updated and alert me to that, however, if this occurs at 2 am, there is little chance that I am aware until the morning comes. I am hoping there is a way to be more proactive, and allow the ASA to monitor this URL and update the object-group accordingly.
Any guidance would be appreciated.
Thanks,
Mark
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2018 01:09 AM
- you add a firewall rule using FQDNs registered to your local DNS server; let's say you use now 5 IPs. You make sure you add more FQDNs in the firewall rule.
- then you bind the IP to the FQDNs and whenever the IP changes you just update the DNS server then ASA will grant access without you needing to update ASA config.
