02-02-2023 06:57 AM
I am looking for explenation/documentation what actually happens when i implement something like this :
parameter-map type protocol-info example_allow
server name example.com
server name *.example.com
server name www.example.com
class-map type inspect match-any example_allow
description allowing certain websites
match protocol http example_allow
match protocol https example_allow
class type inspect example_allow
inspect
+ dns coniguration with ip domain lookup enabled
i am putting it on policymap , zones everything configured correctly and acctually i would like to achieve that people who goes from zone internal2external lets say can only reach this example.com website. I believe that :
show parameter-map type protocol-info dns-cache zone-pair internal2external
will show me maping of dns with ip ...
So quetion, is it working in that way ?
Many thanks in advance for sheding some light on this topic.
p.s. currently we use only static entries - access lists with ip addresses what for internal services lets say is fine but for dynamic, internet... not scalable at all
02-02-2023 07:03 AM - edited 02-02-2023 07:24 AM
can you more elaborate ?
DNS work with IP
ZoneFirewall can inspect :-
1- IP via ACL
2- Protocol
so even if DNS change IP you can still use protocol instead to inspect the traffic.
02-02-2023 08:21 AM - edited 02-02-2023 08:22 AM
I am not sure if i understood you correctly. In short i am looking for solution where i could replace static ip addresses in access lists with dynamic dns objects e.g putting teams.microsoft.com instead of using mutiplce ip addresses like 52.113.194.132 leading to teams..
p.s. i am beginner with zbf
02-02-2023 08:29 AM
what TCP/UDP you inspect ?
02-02-2023 10:06 AM
as example :
tcp eq 443
tcp eq www
udp eq 3478
udp eq 3479
udp eq 3480
udp eq 3481
02-02-2023 10:38 AM
I will share config with you
02-02-2023 11:08 AM
this simple lab, R1 config with ZoneFirewall but I use Protocol not IP for inspection.
I allow only port telnet and ICMP.
I try telnet from R3 to R2 success
I try ping from R3 to R2 success
I try traceroute from R3 to R2 failed, because the traceroute is not allow for inspection.
class-map type inspect match-any Port
match protocol telnet
match protocol icmp
!
!
policy-map type inspect policy
class type inspect Port
inspect
class class-default
drop log
!
zone security IN
zone security OUT
zone-pair security IN-to-OUT source IN destination OUT
service-policy type inspect policy
02-02-2023 11:57 AM
Unfortunately this is not what i was looking for. Maybe i described it wrongly but i am not interested in services/ports/protocols but "destination objects".
For example in your lab let say that router r2 has a dns name r2.test.com and webservice enabled.. i would like to have posibility to create a rule to allow http only to domain *.test.com... so for instance from r3 i should able to http to this r2 even though his ip could change but name would remian same.. so r1 should make a dns query from time to time to keep it in dns cache and dynamicly put in firewall rule
example of domain object in checkpoint security gateway :
A Domain object lets you define a host or DNS domain by its name only. It is not necessary to have the IP address of the site.
You can use the Domain object in the source and destination columns of an Access Control Policy.
You can configure a Domain object in two ways:
-Select FQDN
In the object name, use the Fully Qualified Domain Name (FQDN). Use the format .x.y.z (with a dot "." before the FQDN). For example, if you use .www.example.com then the Gateway matches www.example.com
This option is supported for R80.10 and higher, and is the default. It is more accurate and faster than the non-FQDN option.
Security Gateway looks up the FQDN with a direct DNS query, and uses the result in the Rule Base
-Clear FQDN
This option enforces the domain and its sub-domains. In the object name, use the format .x.y for the name. For example, use .example.com or .example.co.uk for the name. If you use .example.com, then the Gateway matches www.example.com and support.example.com
The Gateway does the name resolution using DNS reverse lookups, which can be inaccurate. The Gateway uses the result in the Rule Base, and caches the result to use again.
02-02-2023 11:59 AM
Now I get it, I will check solutionm, update you soon
02-02-2023 12:00 PM
ok, thank you very much
02-09-2023 06:14 AM
so far i ve not received a feedback which will help me with this topic, anything would be welcome
02-12-2023 12:54 PM
policy-map is using class-map which can use
protocol <<- this as we see above not suitable for your case
ACL <<- here you can use ACL to permit/deny hostname https://blog.ipspace.net/2008/11/using-hostnames-in-ip-access-lists.html
try using ACL for hostname as link above with class-map.
hope this help you.
thanks
02-13-2023 12:29 AM
Hi,
This seems to be static and without any scalibilty = dns lookup take place probably only at the begining and putting ip in place. I am looking for somethng dynamic
02-13-2023 04:41 PM
but if your DNS server return time TTL then the ZFW will ask hostname in periodic time
02-14-2023 05:21 AM
but what if DNS loabalnce traffic between multiple ips ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide