Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 29 subscribers
  • Views 12920 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

restricted fqdn or ip hosts - problem. Rule does not work

Iticcpalakkad

Hi all

I created a firewall allow rule with destination as fqdn (*.microsoft.com). Sadly, the rule does not work and "deny all" rule is applied to traffic. Kindly help



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Support Chn

    In Firewall rules you can't use wildcard domains. You need a web proxy for wildcard exceptions.

    Regards mod

  • 0 in reply to mod2402

    We can create wild card fqdn hosts and map them to a firewall rule.This was newly introduced in v17

  • 0 in reply to Support Chn

    Can you explain how a wildcard domain is resolved to use this in a paket filter rule? I can't believe that this is possible.

    Regards mod

  • +1 in reply to Support Chn

    Support Chn said:

    You should try Adding the domain in wildcard exceptions in Web-->Exception-->Add Exception

    I have had more success with the above option than creating firewall allow rule with wildcard FQDN hosts.

     

    Thank you all. I was off the keyboard for two days and hence the delay. Well I found out a work around. I was using the built-in proxy of xg 125 to access the sites. I just reconfigured my browser such that it does not use the proxy and instead access the site directly. The wild card filter is working perfectly fine now. Still, I feel the issue should be resolved so that we could be more secure.

  • 0 in reply to mod2402

    mod2402 said:

    Can you explain how a wildcard domain is resolved to use this in a paket filter rule? I can't believe that this is possible.

    Regards mod

    It is possible, as long as your client uses the XG Firewall for DNS Resolution. In this case, XG Listens on DNS Request for any of your *.yourdomain.com and adds the subdomains it found during DNS-Log-Crawling to the Object. That makes XG possible to resolve FQDN.

     

    But: This is not done in Realtime. It can take a few minutes until a newly created Wildcard DNS takes affect. During my tests it was not working very stable.

  • 0 in reply to HuberChristian

    HuberChristian said:

     

     
    mod2402

    Can you explain how a wildcard domain is resolved to use this in a paket filter rule? I can't believe that this is possible.

    Regards mod

     

     

     

    It is possible, as long as your client uses the XG Firewall for DNS Resolution. In this case, XG Listens on DNS Request for any of your *.yourdomain.com and adds the subdomains it found during DNS-Log-Crawling to the Object. That makes XG possible to resolve FQDN.

     

    But: This is not done in Realtime. It can take a few minutes until a newly created Wildcard DNS takes affect. During my tests it was not working very stable.

     

     

    It is OK if takes a few minutes. But my problem is it does not even after hours together if I am using the proxy service that is built-in to xg