wildcard URL for cloud services

Jonathan Harrison · ‎01-14-2019

How are you handling service allowance where wildcard domains are the only firewall configuration provided? Specifically I am looking at a server that needs access to Microsoft PowerBI services. I have attached the documentation provided by Microsoft.

If these were FQDNs I would normally just create a network object group on the ASA and allow the inside server access to the object-group over the specified ports on the insideIN ACL. Since they are wildcards, I am not sure where to apply the ruleset.

We have AMP modules in the 5525-X's and FMC setup. If I can apply these wildcard allowances for this specific machine in an Access Control Policy, what do I need to do on the ASA insideIN ACL so that the traffic is allowed to the AMP module? I know this is not the only service to start to provide large wildcarded URL lists and would like to know how others are managing this.

Thanks for your assistance.

Marius Gunnerud · ‎01-15-2019

in FMC/FTD the firewall looks for a match on the string you enter no matter where in the URL they appear. for example (referencing the document I linked below) cisco.com would match both cisco.com/page and page.cisco.com and www.cisco.com

Check out this link:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html#anc14

Another option would be to place the local server in a seperate DMZ and allow it full internett access and then restrict access to the internal network.

Hope this helps.

--
Please remember to select a correct answer and rate helpful posts