Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

blocked requests for short-TTL wildcard DNS FQDN

Currently I have some trouble providing Firewall access to some load balanced CDN services on Akamai Servers, where the corresponding DNS names have short TTL's when using wildcard FQDN like *.docusign.net when the URL accesses will be demo.docusign.net via https.

The result is then that the first web request usually fails due to firewall block because the new IP is not yet learned by the firewall, a second attempt is then fine. After the TTL expires, it may fail again, retry fixes it and so on.

A workaround in some cases seems to be, not to use *.docusign.net (to use the above example) but the full FQDN demo.docusign.net.

From my understanding, the firewall updates full FQDN names used in firewall rules automatically all the time while wildcard FQDN are only updated by the time of access.

Is that correct?

SFOS is 20.0.1

console> sh fqdn-host
cache-ttl:       dns-reply-ttl
idle-timeout:    default
learn-subdomains: enable
IP eviction:      disable



Added TAGs
[edited by: Erick Jan at 8:09 AM (GMT -7) on 24 Sep 2024]