Dear community,
As a firewall noob I am wondering how to integrate a dynamically changing list of IPs into an allowlist for a specific firewall rule.
As a home user I unfortunately have no access to the "Web protection subscription", only "Base Firewall".
The aim is to allow Grafana Cloud servers to periodically poll data from my internal Prometheus instance on a specific web server port. This actually works with a firewall rule set to
Source zone WAN: any,
Source network: any
Destination zone: LAN,
Destination network: any,
Services "prometheus HTTPS" (TCP Destination Port 9090)
and three corresponding NAT-rules created by the NAT wizard
Obviously I do not want to publish the Prometheus data to the whole internet, so I want to restrict the access to certain known IP-addresses, so "Source network and devices" within a firewall rule would be the right place to add Grafana's IPs. Unfortunately the IPs are from *.bc.googleusercontent.com and therefore subject to change dynamically.
The DNS-record "src-ips.hosted-grafana.grafana.net" resolves to more than 100 IPv4 and quite as much IPv6-addresses, but when I put that record into Source network (DNS-Address) the Grafana service cannot reach my internal server.
Most probably I am missing a point where to put the DNs-Record for the IP list into apart from „,Source networks and devices“, can you help me in finding it?
Thanks in advance,
Oliver
Added FR TAG
[edited by: Erick Jan at 10:59 AM (GMT -7) on 1 Aug 2024]