define many objects for ACL LAN->WAN - suggestion
Alberto
Enthusiast ✭✭
Hi I would like to have a suggestion for the following activity.
I need to create a LAN-> WAN ACL to allow a server to reach certain destinations.
Example:
security.ubuntu.com port 80 tcp
it.archive.ubuntu.com por 80 tcp
security.ubuntu.com port 443 tcp
it.archive.ubuntu.com port 443 tcp
keyserver.ubuntu.com port 11371 tcp
downloads-distro.mongodb.org 80 tcp
repo.mongodb.org 443
comped01.weblicman.com 443 tcp
* .multicertify.com 389 tcp
and many more.
How do you manage them? Do I have to put them all by hand?
Do you recommend putting them via CLI? It can be done ?
Alberto
Category: Mid Range Firewalls
0
Answers
Hello @Alberto,
You can either perform these tasks via CLI or SonicOS API. Please take a look at the following KBs.
Once the objects/groups are added, the access rule in a single step process. Most of the services are built-in, you can manually add any custom ones.
I hope this helps!
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
which is the syntax to add an object of type fqdn ?
Hello @Alberto,
From CLI, you can use the syntax
address-object fqdn <Name_of_the_object> domain <Name_of_the_domain> zone WAN
commit
Eg: address-object fqdn Test domain www.google.com zone WAN
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
thanks !
config(18B16953FB2C)# address-object fqdn Test domain www.google.com zone WAN
(add-fqdn-address-object[Test])# commit
% Applying changes...
[AUDIT] ID=20, TransactionID=14, Index="Test", Description="Added 'FQDN Address Object' ", Old="", New="Test", auditPath="", User="admin", Session="SSH";
[AUDIT] ID=21, TransactionID=14, Index="Test", Description=" 'FQDN Address Object Type' ", Old="", New="FQDN", auditPath="", User="admin", Session="SSH";
[AUDIT] ID=22, TransactionID=14, Index="Test", Description=" 'FQDN Address Object Zone' ", Old="", New="WAN", auditPath="", User="admin", Session="SSH";
[AUDIT] ID=23, TransactionID=14, Index="Test", Description=" 'FQDN Hostname' ", Old="", New="www.google.com", auditPath="", User="admin", Session="SSH";
% Status returned processing command:
commit
% Changes made.
(edit-fqdn-address-object[Test])#
Perfect! You can similarly add all address objects, group them and then use in the access rule.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
thanks but for example:
address-object fqdn medas_security.ubuntu.com domain security.ubuntu.com zone WAN
address-object fqdn medas_it.archive.ubuntu.com domain it.archive.ubuntu.com zone WAN
address-object fqdn medas_en.archive.ubuntu.com domain en.archive.ubuntu.com zone WAN
address-object fqdn medas_keyserver.ubuntu.com domain keyserver.ubuntu.com zone WAN
I can define only "ubuntu.com" ?
@Alberto,
Instead of just ubuntu.com, I would suggest using *.ubuntu.com as below:
address-object fqdn Ubuntu domain *.ubuntu.com zone WAN
This will include all subdomains of ubuntu.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hi @Alberto
ff you wanna allow LDAP to all hosts in the domain * .multicertify.com you will be out of luck, this is where IP based Access Rules and Name based requierements drift apart. The FQDN cannot hold the whole multicertify.com zone, you need to define all server names as one object or define a network object if they are in the same range.
--Michael@BWC