Networking: Wildcard Hostnames for DNS Group Definitions
being able to specify a 'root' domain name, or pattern, as a network definition, that could then be used in a traffic selector for bandwidth shaping, would help greatly. content delivery networks use hundreds of hostnames, but usually stick with one 'root', example: 'something.nflximg.com' or 'something.llnwd.net' by specifying something like "*.llnwd.net' as the source, we could then limit the traffic as desired.
Seriously, how is office365 integration supposed to work ?
and we are waiting on this since 2011 ? 10 years ?
I have several customers here who use bigmarker.com for video conferencing, the recommendation from bigmarker is to set a *.bigmarker.com entry, because it is impossible to work with static IPs due to the many changes. And now?
I just added 23 subdomains, 1 by 1, just because this lack.
This makes UTM look like a toy.
Stefan H commented
Unintelligible for me that it is'nt already implemented since years. Without this it is impossible blocking or allowing special ports to special destinations. Its impossible to handle hundrets of single entries that change every second day. No way, this wildcard (which is already a feature on other vendors since years) is truly needed.
+1 for the 235623623th time for this issue. it's very helpful for all aspects of traffic shaping and firewall rules and multipath rules
Jim Harrison commented
This would be especially useful in blocking geo-distributed nastiness like cryptominers.
For example, coinhive uses a name structure like "ws###.coinhive.com", but because the protocol isn't http-based, the web filter is blind to it.
Being able to apply something as simple as a text filter to such obvious constructs would be very useful.
I have 14 sites using the SG and am very happy with it overall; however, 8 of my sites are KU or KA band satellite (Marine platforms) and bandwidth management is critical to keep wans running smoothly. Being able to use wildcard domains is very important for managing uplink balancing. Having the ability to route lower priority traffic to different uplinks based on destination solves a lot of problems for me so the wildcard DNS entry in DNS groups would be a huge benefit. With akamai and many other bandwidth intensive hosting services on the net it is too difficult to maintain all the possible dns entries required to do this otherwise.
Sebastian Meyer commented
already possible on XG - why not on SG/UTM?
I Think this will be hard to implement, because the DNS Resolution is done at Client Side and the Packet Filter Module of the UTM will only see IP Adresses not DNS Names. Because Zone Transfer won't be allowed by the Destination Domains we will not be able to prefetch all possible subdomains - in Case of shared Servers / Content Switching the Reverse entry must not match the original forward Endtry.
The Only Way to archive this would be to enforce Usage of the DNS Proxy of UTM and to cache all Adresses for Domains with *.example.tld...
Just by way of an update for those reviewing the feature, I'm adding IP addresses to allow one host external access to Microsoft's external WSUS servers and it's so far taken me half a day (or so) and over 60 individual IP addresses. I think the number of wildcard DNS entries required is about 6 and would have taken 5 minutes to configure on the firewall.
We host a lot of services for our customers and so this is a regular requirement, we have web services which need to talk to a 3rd party via something like *.ourcoolproduct.company.com which we could easily define on our old firewalls, migrating over to the SG is proving a little tricky though!
If that helps in any way state the case for this functionality then great, it really would be a massive help in our environment.
I'll stop trolling this thread now :)
I also note that the WAF feature request had many less votes than this feature request....
Not that I'm desperate or anything!
Also I see that this functionality has already been added to the WAF (https://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/3011899-web-application-firewall-wildcard-domains) so I assume the code to perform this is already in the OS and just needs adding to the packet filter to allow wildcard DNS host entries?
Sounds like a nice straightforward win that would benefit a large number of your users!
I can't believe that the SG software doesn't allow this already! I'm trying to whitelist just *.microsoft.com for a single host on a VLAN that has no internet access and have just been told that I would need to list every resolvable subdomain or IP address to get this to work.
This means a rule that should take 30 seconds to create is basically impossible. Every firewall I've used in the past has had this functionality out of the box, I can't believe it's not at the very top of the list of developments to add to the SG/XG firewalls (and I can't imagine it's that hard to implement either).
I'd upvote this 100 times if I could. It's essential for our business.
+1 for this feature, would help out a ton
What is actually the status of this FR right now? I was hoping that Sophos had already planned to use and support wildcards in domain definitions which can be used in e.g. the packet filter.
@Adrenaline_x there is a way to import the required IP addresses. You may obtain the XML from Office 365, then parse the list per product (for e.g. Skype for Business) for IP addresses and create objects in the UTM using the API, of which is available from version 9.2 I guess. You may also take advantage of the API to (create and) maintain your firewall rule(s).
how are you guys resolving all the office 365 and skype for buisness FQDNs? I need to allow 5061 to 272 ip/networks to our firewall allow to get Skype for bushiness to work.. there is no way to import the ips and sopho account managers are suggesting we use a third party to help.. WTF?
to play devil's advocate; though I would like the feature as well, there is a "right" way to do this; Multiple A records on your DNS domain for a hostname, or an SRV record with the appropriate host entries.
This feature is clearly critical for very fine outbound traffic definition. I need it for antivirus and some other sutff, many adresses are multi dns hostname but a lot are wildcard domain. It's also usefull especially when you do,'t want to intégrate' some system with a proxy and web filtering but only in firewall rules It's a pain to identifiy every subadress.
We need this feature to get CrashPlan to work. Otherwise you have to manually add their randomly generated sub-domains to a network group every week and that is too much to babysit for many different sites and locations.
Please add this feature.