Networking: Wildcard Hostnames for DNS Group Definitions
being able to specify a 'root' domain name, or pattern, as a network definition, that could then be used in a traffic selector for bandwidth shaping, would help greatly. content delivery networks use hundreds of hostnames, but usually stick with one 'root', example: 'something.nflximg.com' or 'something.llnwd.net' by specifying something like "*.llnwd.net' as the source, we could then limit the traffic as desired.
Stefan H commented
Unintelligible for me that it is'nt already implemented since years. Without this it is impossible blocking or allowing special ports to special destinations. Its impossible to handle hundrets of single entries that change every second day. No way, this wildcard (which is already a feature on other vendors since years) is truly needed.
+1 for the 235623623th time for this issue. it's very helpful for all aspects of traffic shaping and firewall rules and multipath rules
Jim Harrison commented
This would be especially useful in blocking geo-distributed nastiness like cryptominers.
For example, coinhive uses a name structure like "ws###.coinhive.com", but because the protocol isn't http-based, the web filter is blind to it.
Being able to apply something as simple as a text filter to such obvious constructs would be very useful.
I have 14 sites using the SG and am very happy with it overall; however, 8 of my sites are KU or KA band satellite (Marine platforms) and bandwidth management is critical to keep wans running smoothly. Being able to use wildcard domains is very important for managing uplink balancing. Having the ability to route lower priority traffic to different uplinks based on destination solves a lot of problems for me so the wildcard DNS entry in DNS groups would be a huge benefit. With akamai and many other bandwidth intensive hosting services on the net it is too difficult to maintain all the possible dns entries required to do this otherwise.
Sebastian Meyer commented
already possible on XG - why not on SG/UTM?
I Think this will be hard to implement, because the DNS Resolution is done at Client Side and the Packet Filter Module of the UTM will only see IP Adresses not DNS Names. Because Zone Transfer won't be allowed by the Destination Domains we will not be able to prefetch all possible subdomains - in Case of shared Servers / Content Switching the Reverse entry must not match the original forward Endtry.
The Only Way to archive this would be to enforce Usage of the DNS Proxy of UTM and to cache all Adresses for Domains with *.example.tld...
Just by way of an update for those reviewing the feature, I'm adding IP addresses to allow one host external access to Microsoft's external WSUS servers and it's so far taken me half a day (or so) and over 60 individual IP addresses. I think the number of wildcard DNS entries required is about 6 and would have taken 5 minutes to configure on the firewall.
We host a lot of services for our customers and so this is a regular requirement, we have web services which need to talk to a 3rd party via something like *.ourcoolproduct.company.com which we could easily define on our old firewalls, migrating over to the SG is proving a little tricky though!
If that helps in any way state the case for this functionality then great, it really would be a massive help in our environment.
I'll stop trolling this thread now :)
I also note that the WAF feature request had many less votes than this feature request....
Not that I'm desperate or anything!
Also I see that this functionality has already been added to the WAF (https://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/3011899-web-application-firewall-wildcard-domains) so I assume the code to perform this is already in the OS and just needs adding to the packet filter to allow wildcard DNS host entries?
Sounds like a nice straightforward win that would benefit a large number of your users!
I can't believe that the SG software doesn't allow this already! I'm trying to whitelist just *.microsoft.com for a single host on a VLAN that has no internet access and have just been told that I would need to list every resolvable subdomain or IP address to get this to work.
This means a rule that should take 30 seconds to create is basically impossible. Every firewall I've used in the past has had this functionality out of the box, I can't believe it's not at the very top of the list of developments to add to the SG/XG firewalls (and I can't imagine it's that hard to implement either).
I'd upvote this 100 times if I could. It's essential for our business.
+1 for this feature, would help out a ton
[Deleted User] commented
What is actually the status of this FR right now? I was hoping that Sophos had already planned to use and support wildcards in domain definitions which can be used in e.g. the packet filter.
[Deleted User] commented
@Adrenaline_x there is a way to import the required IP addresses. You may obtain the XML from Office 365, then parse the list per product (for e.g. Skype for Business) for IP addresses and create objects in the UTM using the API, of which is available from version 9.2 I guess. You may also take advantage of the API to (create and) maintain your firewall rule(s).
how are you guys resolving all the office 365 and skype for buisness FQDNs? I need to allow 5061 to 272 ip/networks to our firewall allow to get Skype for bushiness to work.. there is no way to import the ips and sopho account managers are suggesting we use a third party to help.. WTF?
to play devil's advocate; though I would like the feature as well, there is a "right" way to do this; Multiple A records on your DNS domain for a hostname, or an SRV record with the appropriate host entries.
This feature is clearly critical for very fine outbound traffic definition. I need it for antivirus and some other sutff, many adresses are multi dns hostname but a lot are wildcard domain. It's also usefull especially when you do,'t want to intégrate' some system with a proxy and web filtering but only in firewall rules It's a pain to identifiy every subadress.
We need this feature to get CrashPlan to work. Otherwise you have to manually add their randomly generated sub-domains to a network group every week and that is too much to babysit for many different sites and locations.
Please add this feature.
Massimo Dalla Giustina commented
For our business the ability to use wildcards in domain definitions within firewall rules is CRITICAL. Please implement ASAP.
Scott Munton commented
Customer would like to be able to enter "*.domain.com" to have a rule apply to the root domain and all sub domain/pages.
Below is the Customer's FR information.
Company and Contact Information
Company: The Law Society of BC
Contact: John Nichol
Sophos Partner (if applicable):
Sophos Product Information
Sophos Product: UTM
Version in Production: 9.315-2
Feature Request Summary
How will this new feature address your business requirements?: The ability to use wildcards in domain definitions within firewall rules would make the creation of exceptions and managing exemptions significantly less cumbersome.
How would you rate the importance of this feature?; 1 = Critical, 5 = Nice-to-have: 2
We are using a basic Network Protection subscription on a SG105 running UTM 9.3. Our project requires blocking all outbound traffic except for a few select sites and services. This is possible to do using DNS Group definitions only if the site references a specific hostname, but not if the site uses a wildcard in the hostname. For example, it is possible to allow access to Sophos virus definition update servers by adding dci.sophosupd.net, d1.sophosupd.net, etc., as DNS Group definitions, since these resolve to IP addresses. Unfortunately other services like Windows Updates require allowing access to wildcard hostnames such as "*.windowsupdate.microsoft.com" which do not resolve, and so cannot be used in a DNS Group definition. Sophos support suggested using a regular expression to match the URL, but this only works if the Web Protection subscription is active. It would be great if wildcard URL matching could be made available for the Network Protection subscription, or the ability to use wildcards within DNS Group definitions. Thanks!