Wenn im Policy Regelwerk nicht IPs sondern FQDNs genutzt werden, ist es wichtig zu wissen, wann / wie oft sich der Firewall die aktuelle „Übersetzung“ in IPs „besorgt“/refresht. Dazu muss man die Konsole bemühen.
FQDN refresh timer:
– Default ist 30 Minuten
– Mit diesem Befehl kann man den Timer definieren:
> configure
# set deviceconfig system fqdn-refresh-time <1800-14399>
# request system fqdn refresh
admin@PA1(active-primary)# set deviceconfig system
...
+ fqdn-forcerefresh-time Seconds for Periodic Timer to force refresh
FQDN object entries
+ fqdn-refresh-time Seconds for Periodic Timer to refresh expired
FQDN object entries
Die aktuelle FQDN Übersetzung gibt es unter:
– request system fqdn show
admin@PA1(active-primary)> request system fqdn show FQDN Table : Last Request time Mon Apr 7 12:57:53 2014 --------------------------------------------------------------------------- IP Address Remaining TTL Secs Since Refreshed --------------------------------------------------------------------------- VSYS : vsys1 efmgmtdmz1.zgt.de (Objectname efmgmtdmz1.zgt.de): 185.9.109.21 83168 3230 efprtg01.zgtroot.ads (Objectname efprtg01.zgtroot.ads): 10.136.10.33 -232 1432 VSYS : shared
rkrakovic@PA2(active-primary)# set deviceconfig system fqdn- + fqdn-forcerefresh-time Seconds for Periodic Timer to force refresh FQDN object entries + fqdn-refresh-time Seconds for Periodic Timer to refresh expired FQDN object entries rkrakovic@PA2(active-primary)# set deviceconfig system fqdn-refresh-time <value> <1800-14399> Seconds for Periodic Timer to refresh expired FQDN object entries rkrakovic@PA2(active-primary)# set deviceconfig system fqdn-refresh-time 1800 [edit] rkrakovic@PA2(active-primary)# set deviceconfig system fqdn-forcerefresh-time 1800 1800 should be between 14400-86400 [edit] rkrakovic@PA2(active-primary)# set deviceconfig system fqdn-forcerefresh-time 14400
Hier PA Infos:
How to Configure and Test FQDN Objects
- It is important to remember that the FQDN object is an address object. This means that it is as good as referencing a ‘Source Address’ or ‘Destination Address’ in a security policy.
- This will work in such a way that every 30 minutes, the Palo Alto firewal will do an FQDN Refresh in which it does an NS lookup to the DNS server that is configured (Setup > Services). The firewall will map up to 10 IP addresses to that FQDN object.
- Make sure that this is the same server that your hosts are using. DNS malware can adversely affect a solution like this.
- This method should only be used when using an IP address is not possible. This type of object shouldn’t be used as part of a URL filtering policy
- This can also be helpful to control other services that don’t relate to web browsing like ftp, ssh, or any other service.
- If the object also resolves to an IPv6 address, enable IPv6 Firewalling (Setup > Session)
Configuring the object
To begin configuration of FQDN objects, go to Objects > Addresses
- Click Add to create a new address object.
- Change the type from ‘IP/Netmask’ to ‘FQDN’
- Enter the address (do not include http:// or any other header)
- Click OK
- Commit the changes
Confirming the changes
- An automatic Refresh FQDN task will run in the background. The status of this job can be checked by clicking the Tasks button at the bottom right corner of the GUI
- The CLI command request system fqdn show can then be used to view the list of FQDN objects and the IP address(es) associated with that name
- It is possible to force a refresh by running the command
request system fqdn refresh - As a recommended extra check, ping the host from a desktop to make sure it matches the IP address listed after running the request system fqdn show command