Palo Alto Firewall: FQDNs refreshen

Wenn im Policy Regelwerk nicht IPs sondern FQDNs genutzt werden, ist es wichtig zu wissen, wann / wie oft sich der Firewall die aktuelle „Übersetzung“ in IPs „besorgt“/refresht. Dazu muss man die Konsole bemühen.

FQDN refresh timer:

–        Default ist 30 Minuten
–        Mit diesem Befehl kann man den Timer definieren:

> configure
# set deviceconfig system fqdn-refresh-time <1800-14399>
# request system fqdn refresh
 admin@PA1(active-primary)# set deviceconfig system
...
+ fqdn-forcerefresh-time   Seconds for Periodic Timer to force refresh 
                           FQDN object entries
+ fqdn-refresh-time        Seconds for Periodic Timer to refresh expired 
                           FQDN object entries

 Die aktuelle FQDN Übersetzung gibt es unter:

–        request system fqdn show

 admin@PA1(active-primary)> request system fqdn show

FQDN Table : Last Request time Mon Apr  7 12:57:53 2014
---------------------------------------------------------------------------
                      IP Address     Remaining TTL     Secs Since Refreshed
---------------------------------------------------------------------------
VSYS  : vsys1

efmgmtdmz1.zgt.de  (Objectname efmgmtdmz1.zgt.de):

                    185.9.109.21             83168                     3230

efprtg01.zgtroot.ads  (Objectname efprtg01.zgtroot.ads):

                    10.136.10.33              -232                     1432

VSYS  : shared

 

rkrakovic@PA2(active-primary)# set deviceconfig system fqdn-
+ fqdn-forcerefresh-time   Seconds for Periodic Timer to force refresh FQDN object entries
+ fqdn-refresh-time        Seconds for Periodic Timer to refresh expired FQDN object entries

rkrakovic@PA2(active-primary)# set deviceconfig system fqdn-refresh-time
  <value>  <1800-14399> Seconds for Periodic Timer to refresh expired FQDN object entries

rkrakovic@PA2(active-primary)# set deviceconfig system fqdn-refresh-time 1800

[edit]
rkrakovic@PA2(active-primary)# set deviceconfig system fqdn-forcerefresh-time 1800
1800 should be between 14400-86400

[edit]
rkrakovic@PA2(active-primary)# set deviceconfig system fqdn-forcerefresh-time 14400

 

Hier PA Infos:

How to Configure and Test FQDN Objects

 

  • It is important to remember that the FQDN object is an address object. This means that it is as good as referencing a ‘Source Address’ or ‘Destination Address’ in a security policy.
  • This will work in such a way that every 30 minutes, the Palo Alto firewal will do an FQDN Refresh in which it does an NS lookup to the DNS server that is configured (Setup > Services). The firewall will map up to 10 IP addresses to that FQDN object.
  • Make sure that this is the same server that your hosts are using. DNS malware can adversely affect a solution like this.
  • This method should only be used when using an IP address is not possible. This type of object shouldn’t be used as part of a URL filtering policy
  • This can also be helpful to control other services that don’t relate to web browsing like ftp, ssh, or any other service.
  • If the object also resolves to an IPv6 address, enable IPv6 Firewalling (Setup > Session)

Configuring the object

To begin configuration of FQDN objects, go to Objects > Addresses

  1. Click Add to create a new address object.
  2. Change the type from ‘IP/Netmask’ to ‘FQDN’
  3. Enter the address (do not include http:// or any other header)
  4. Click OK
  5. Commit the changes

7-24-2012 2-52-08 PM.png

Confirming the changes

  • An automatic Refresh FQDN task will run in the background. The status of this job can be checked by clicking the Tasks button at the bottom right corner of the GUI
  • The CLI command request system fqdn show can then be used to view the list of FQDN objects and the IP address(es) associated with that name
  • It is possible to force a refresh by running the command
    request system fqdn refresh
  • As a recommended extra check, ping the host from a desktop to make sure it matches the IP address listed after running the request system fqdn show command