Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Rule with FQDN

I'm trying to build a business rule for incoming traffic from an fqdn resolved host. As you can see in the image, I have a rule that allows network traffic from two objects. One is an IP address object and the other is an FQDN host that resolves to the exact same IP when I hover over it or issue a DHCP lookup. However, if I set this rule with only the FQDN object in place on the Allowed Client Networks section, traffic is blocked from the host. If I make the rule to include the IP address object in the Allowed Client Network section, it works perfectly (obviously I can leave the FQDN object off completely in this case and it still works).

 

Is there something I'm missing? This type of rule worked perfectly under my UTM 9 setup using an FQDN.



This thread was automatically locked due to age.
  • Hi Brian,

    Not sure, but create a DNS host entry to resolve the FQDN host on XG. Go to, System> Network > DNS> Static host entry.

    Take SSH to XG and go to option 4. Device console. Execute,

    tcpdump 'host xyz.com and port 8920

    and 

    tcpdump 'host x.x.x.x and port 8920

    Post the output.

  • Hi Brian,

    I've just tested this on my lab and the Business Application Rule to forward traffic from an FQDN object seems to be working ok, could you share a screenshot of your firewall log for that traffic (turn on logging for the Business Application Rule as well) as well as a screenshot of your FQDN objects when you hover over them and that they are resolving?

    Emile

  • Sorry, I've been out of town for work all week. I don't get any traffic when I use the FQDN, but I get some when using the IP address:

     

    console> tcpdump 'host cheetah.bbox.us and port 8920'

    tcpdump: Starting Packet Dump

    ^C

    0 packets captured

    15 packets received by filter

    0 packets dropped by kernel

     

     

    console> tcpdump 'host 71.10.176.3 and port 8920'

    tcpdump: Starting Packet Dump

    06:37:38.593918 Port1, IN: IP 172.16.15.38.8920 > 71.10.176.3.49944: Flags [.], ack 775090825, win 475, options [nop,nop,TS val 47328640 ecr 1065551048], length 0

    06:37:38.593922 Port1, OUT: IP 172.16.15.38.8920 > 71.10.176.3.49944: Flags [.], ack 1, win 475, options [nop,nop,TS val 47328640 ecr 1065551048], length 0

    ^C

    2 packets captured

    2 packets received by filter

    0 packets dropped by kernel

  • I don't seem to get any logged data from the denied traffic in the log viewer. I added a Drop All user network rule with logging enabled to the bottom of my firewall rule list, but that doesn't seem to add any logging for this particular issue. The TCP dump data is above and here is the screen shot of the FQDN resolving below.

     

  • Ok, I've figured out a way to make FQDN work from a troubleshotting standpoint, but it isn't usable for my production need or the way the UTM 9 handled it. If I add a static DNS entry AND set the include "Reverse DNS Lookup" the firewall rule works.

     

    I am not sure why reverse DNS is absolutely necessary though. It makes using a dynamic dns address in an FQDN firewall rule unusable.

  • Brian,

    as Sachin wrote, both entries are needed.

    If you did not set the reverse dns lookup, so XG uses only IP addresses. You are correct, UTM9 is able to handle this type of queries using only forward lookup queries.

    Hope they will change this behaviour!

    [:(]

  • Wow. I hope so too. Seems like the main use for an FQDN entry would be for a dynamic ip situation where you could never get a reverse DNS to work.