04-26-2018 07:24 AM - edited 02-21-2020 07:40 AM
We have deployed the feature where an object is created, and the firewall checks DNS every minute for the IP of that public host. Example
!
object network www.sears.com
fqdn www.sears.com
object-group network internet
network-object object www.sears.com
!
access-list test1 permit tcp any object-group internet eq 80
!
This works well for a static site. However, if the target site does redirects to other sites for content, the process fails, as those redirected sites are not allowed outbound by the access-list.
I wonder if there is a feature or configuration on the firewall that would enable inspection of the connections for redirects, and then allow those connections?
04-26-2018 08:49 AM
You might want to try http inspection using regex, that is if all the redirects are within the sears.com domain. But if the redirects go to other domains then this is not a scaleable solution. A better option would be to invest in a Web proxy such as WSA or FTD with URL filtering.
Another option would be to us Cisco Umbrella and integrate it with your AD.
04-26-2018 12:07 PM
04-26-2018 12:44 PM
If you mean the delay between lookups, you can do this with the following command
dns expire-entry-timer minutes 10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide