Dear community,
As a firewall noob I am wondering how to integrate a dynamically changing list of IPs into an allowlist for a specific firewall rule.
As a home user I unfortunately have no access to the "Web protection subscription", only "Base Firewall".
The aim is to allow Grafana Cloud servers to periodically poll data from my internal Prometheus instance on a specific web server port. This actually works with a firewall rule set to
Source zone WAN: any,
Source network: any
Destination zone: LAN,
Destination network: any,
Services "prometheus HTTPS" (TCP Destination Port 9090)
and three corresponding NAT-rules created by the NAT wizard
Obviously I do not want to publish the Prometheus data to the whole internet, so I want to restrict the access to certain known IP-addresses, so "Source network and devices" within a firewall rule would be the right place to add Grafana's IPs. Unfortunately the IPs are from *.bc.googleusercontent.com and therefore subject to change dynamically.
The DNS-record "src-ips.hosted-grafana.grafana.net" resolves to more than 100 IPv4 and quite as much IPv6-addresses, but when I put that record into Source network (DNS-Address) the Grafana service cannot reach my internal server.
Most probably I am missing a point where to put the DNs-Record for the IP list into apart from „,Source networks and devices“, can you help me in finding it?
Thanks in advance,
Oliver
This thread was automatically locked due to age.