Fqdn and deny/allow

Robert_VilhelmsenRobert_Vilhelmsen
edited December 2023 in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hi

T20 running 12.10

I have a policy denying from Any optional to crm.kaufmann.dk on port 443 and below another policy allowing from Any optional to *.kaufmann.dk on port 443.

Going to url removed or removed from optional the firewall logs a DENY message to removed and the page is not shown of cause.

On the other hand the same DENY and ALLOW rules also include deny to removed and allow to removed and access to removed works fine.

They are all behind the same ip Cloudflare ip addresses.

Why do Fireware block access to removed as removed and not on other domains in the same policies?

FQDN cache
FQDN[1219:1] domainID: 163, removed, refcnt: 1, Status: Perfect
FQDN[1219:1] IP Count: 3 , Sub-label: 0 , total-adding=3 , total-deleting=0 , total-earlydrop=0
FQDN[1219:1] Type: full name , Duration: 0 (s)
FQDN[1219:1] NS: removed, AA-Min-TTL: 300 , Duration: 0 (s), Update-count: 1
FQDN[1219:1] TTL: 300(s), Flag: 00000000
FQDN[1219:1] In groups: fqdn:pol_23_to,

     Index     Address       TTL   TTL-PKT   AA    Expiration           FLAG      Label        CNAME
    [001]  x.x.x.x     300     300      AA   remain 0h:4m:6s     00000017
    [002]  x.x.x.x     300     300      AA   remain 0h:4m:6s     00000017
    [003]  x.x.x.x    300     300      AA   remain 0h:4m:6s     00000017

removed the rest of the entries. -jc

/Robert

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Robert_Vilhelmsen

    In the future, please do not post IPs/FQDNs that can be traced back to your firewall/websites. This is for your security. If you'd prefer to post logs with that data, please create a support case, where that data can remain private.

    If these addresses are ending up in your FQDN table, you have a policy or blocked sites entry adding them there. The firewall works via IPs, not FQDNs in policies. Proxies are the only things that differentiate URL paths via the same IP.

    If your addresses resolve to the same thing, you will see overlap via FQDN. If you're trying to block something, try using a custom webblocker deny action instead.

    -James Carson
    WatchGuard Customer Support

  • rv@kaufmann.dkrv@kaufmann.dk
    @james.carson

    I figured it out. It’s cloud flare proxy ip’s where i have some overlaps.
    I am not worried about the listet ip addresser as they all are CF proxy ip’s.
Sign In to comment.