TZ670, SonicOS 7.0.0-R906: Geo-IP filter exclusion using wildcard FQDN does not work
I'm hoping someone can help me with setting up Geo-IP filter exclusion by using FQDN rather than IP addresses.
Our AV uses an agent which communicates with cloud services to log messages and alerts to our web console. The domains it communicates with are Akamaized so they may resolve to various IPs. A few of the IPs it uses quite often are located in Spain, which is set to be blocked through Geo-IP filter. We believe this causes the issue we have with the agents not communicating with our console.
The address object using wildcard FQDN and placed in the exclusion group applied to the filter does not seem to work as IP addresses of the subdomains are still blocked and traffic is dropped by the FW as seen in Monitor / System Logs.
This is what I have set up at the moment:
- Address Objects created with wildcard FQDN like so: *.domain-name.com and assigned to the zones where traffic originates from.
- Objects above added to the Address Group which is used as exclusion group under Policy / Security Services / Geo-IP Filter / Countries / GEO-IP EXCLUSION OBJECT
What I want to do:
I want to use the FQDN with a wildcard to make sure the exclusions are dynamic as IPs may resolve to various locations.
I found a post with a similar problem and a workaround proposed in the reply linked below. However users reported the issue was resolved with a firmware patch in SonicOS version 6.x.x. I am using version 7 and I would expect this would work in the newer version however it does not seem so. I suspect there is a configuration somewhere which would enable resolving FQDNs used in Address Objects.
The setting suggested in the post above is not enabled on my FW; would this (i.e. enabling ENABLE DNS HOST NAME LOOKUP OVER TCP FOR FQDN option) be the correct way to enable exclusions which use FQDNs?
This is a FW which is in production, as most staff work remotely now I can't do too much in terms of testing and messing about with various settings.
Screenshots with the config below. I have edited out some info which has internal setup details (IPs, etc.), but I left the important settings visible.