Another alternative i think need to use SecIntel feature so it will have all list ip address from Azure.
Original Message:
Sent: 05-07-2024 22:18
From: kronicklez
Subject: Wildcard fqdn not support in address-book?
Hi All,
Is the config below is correct? The objective was from source-address is "*.azurewebsite.net". Appreciate any advise.
[edit]
root@JSRX1600# run show configuration security utm | display set
set security utm custom-objects url-pattern urllist1 value http://*.azurewebsites.net
set security utm custom-objects url-pattern urllist2 value http://*.cloudapp.net
set security utm custom-objects url-pattern urllist3 value https://*.azurewebsites.net
set security utm custom-objects url-pattern urllist4 value https://*.cloudapp.net
set security utm custom-objects custom-url-category cust-permit-list value urllist1
set security utm custom-objects custom-url-category cust-permit-list value urllist2
set security utm custom-objects custom-url-category cust-permit-list value urllist3
set security utm custom-objects custom-url-category cust-permit-list value urllist4
set security utm feature-profile web-filtering juniper-local profile localprofile1 default block
set security utm feature-profile web-filtering juniper-local profile localprofile1 category cust-permit-list action log-and-permit
set security utm utm-policy utmp5 web-filtering http-profile localprofile1
set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE match source-address any
set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE match destination-address any
set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE match application any
set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE then permit application-services utm-policy utmp5
Original Message:
Sent: 05-07-2024 16:20
From: asharp
Subject: Wildcard fqdn not support in address-book?
Starting in Junos OS Release 15.1X49-D110, the "* " in a wildcard syntax, used for URL pattern Web filtering profile, matches all subdomains. For example, *.example.net matches:
http://a.example.net
http://example.net
aaa.example.net
Reference: https://www.juniper.net/documentation/us/en/software/junos/utm/topics/topic-map/security-utm-local-web-filtering.html
------------------------------
Andy Sharp
Original Message:
Sent: 05-07-2024 12:07
From: Nikolay Semov
Subject: Wildcard fqdn not support in address-book?
I know that Local Web Filtering doesn't require license, but I'm not familiar enough with it to tell if it can do the wildcard.
------------------------------
Nikolay Semov
Original Message:
Sent: 05-07-2024 11:52
From: kronicklez
Subject: Wildcard fqdn not support in address-book?
Hi Nikolay,
Let's say i dont have web filtering license. Is there any alternative i can get the list of that "*"?
Thanks
Original Message:
Sent: 05-07-2024 11:05
From: Nikolay Semov
Subject: Wildcard fqdn not support in address-book?
The address-book is strictly for matching the IP addresses in the packet headers. A wildcard domain matching would require you to examine the packet payload. On the SRX you can do that with Web Filtering (https://www.juniper.net/documentation/us/en/software/junos/utm/topics/concept/utm-web-filtering-overview.html) and, to a certain extent, with Application Identification (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-overview.html).
------------------------------
Nikolay Semov
Original Message:
Sent: 05-07-2024 10:06
From: kronicklez
Subject: Wildcard fqdn not support in address-book?
Hi all,
Referring to this url https://supportportal.juniper.net/s/article/SRX-DNS-address-book-entries-with-wildcard-is-not-accepted?language=en_US SRX still dont have this feature even it already 2024 like other firewall that support it such as Fortiget and Sophos. So currently i'm migrating sophos to srx and facing issue to convert *.azurewebsites.net and *.cloudapp.net to SRX. I'm try google and not found the list url or services for that two wildcard. Appreciate if someone here has experience how to solve this issue?
Thanks