Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

blocked requests for short-TTL wildcard DNS FQDN

Currently I have some trouble providing Firewall access to some load balanced CDN services on Akamai Servers, where the corresponding DNS names have short TTL's when using wildcard FQDN like *.docusign.net when the URL accesses will be demo.docusign.net via https.

The result is then that the first web request usually fails due to firewall block because the new IP is not yet learned by the firewall, a second attempt is then fine. After the TTL expires, it may fail again, retry fixes it and so on.

A workaround in some cases seems to be, not to use *.docusign.net (to use the above example) but the full FQDN demo.docusign.net.

From my understanding, the firewall updates full FQDN names used in firewall rules automatically all the time while wildcard FQDN are only updated by the time of access.

Is that correct?

SFOS is 20.0.1

console> sh fqdn-host
cache-ttl:       dns-reply-ttl
idle-timeout:    default
learn-subdomains: enable
IP eviction:      disable



This thread was automatically locked due to age.
Parents
  • Yes, Wildcard is, only on access being fetched and saved within the firewall. Single FQDNs will be fetched by the firewall based on the request TTL. 

    __________________________________________________________________________________________________________________

Reply
  • Yes, Wildcard is, only on access being fetched and saved within the firewall. Single FQDNs will be fetched by the firewall based on the request TTL. 

    __________________________________________________________________________________________________________________

Children