cancel
Showing results for 
Search instead for 
Did you mean: 
mike18
Level 7
Report Inappropriate Content
Message 1 of 11

Replacing Network object - IP address with host

Jump to solution

Hi all,

For few websites we have NEtwork objects type  IP addresses.

As wesbite IP address changes we need to change it on firewall so users are able to access it again


Will replacing the NEtwork object type with Host fix this issue forever as long as our DNS is working ?

I am going to make new Network Object  type Host if  i do that

then do i also need to Put IP under TAB

IP addess for the  host?

OR DNS will take care of that automatically?

Regards

Mike

Message was edited by: Mike

1 Solution

Accepted Solutions
sliedl
Level 14
Report Inappropriate Content
Message 2 of 11

Re: Replacing Network object - IP address with host

Jump to solution

If you are trying to prevent people from going to certain sites you should use SmartFilter.  You should not be creating rules that allow people to only go to certain sites.  The vast majority of websites load content on their webpages from other sites that don't resolve to the same IP as the page you initially requested.  If you try to lock down your rules to specific Hosts you are going to break pretty much every site you browse to.  My suggestion is to never use Host or Domain objects unless its for internal sites for which you control the DNS responses.  Although we rely on the DNS and it (knock-on-wood) usually works, it is inherently unreliable.

For example, Domain objects rely on reverse-DNS.  For Domain objects to work the administrator of the DNS for that domain has to have added the correct reverse-DNS entries into their system for all of their hosts.  This means your policy-decisions are based on the fact that you hope someone else has configured their systems correctly in order for your policy to work how you've configured it.

10 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 11

Re: Replacing Network object - IP address with host

Jump to solution

If you are trying to prevent people from going to certain sites you should use SmartFilter.  You should not be creating rules that allow people to only go to certain sites.  The vast majority of websites load content on their webpages from other sites that don't resolve to the same IP as the page you initially requested.  If you try to lock down your rules to specific Hosts you are going to break pretty much every site you browse to.  My suggestion is to never use Host or Domain objects unless its for internal sites for which you control the DNS responses.  Although we rely on the DNS and it (knock-on-wood) usually works, it is inherently unreliable.

For example, Domain objects rely on reverse-DNS.  For Domain objects to work the administrator of the DNS for that domain has to have added the correct reverse-DNS entries into their system for all of their hosts.  This means your policy-decisions are based on the fact that you hope someone else has configured their systems correctly in order for your policy to work how you've configured it.

mike18
Level 7
Report Inappropriate Content
Message 3 of 11

Re: Replacing Network object - IP address with host

Jump to solution

These are the webites that we do not to go via Proxy.

So on Firewall we have created Rule to allow users to access these websites.

We have created Netgroup with list if web sites IP addresses.

How can i use smartfilter to allow users to access these webites without any issues i mean if website IP address changes?

Mike

sliedl
Level 14
Report Inappropriate Content
Message 4 of 11

Re: Replacing Network object - IP address with host

Jump to solution

Without knowing how your environment is designed I can't give you any advice.

mike18
Level 7
Report Inappropriate Content
Message 5 of 11

Re: Replacing Network object - IP address with host

Jump to solution

IF you can tell just this if i create smart filter then how i define those website IP addresses that will be great?

sliedl
Level 14
Report Inappropriate Content
Message 6 of 11

Re: Replacing Network object - IP address with host

Jump to solution

That's not how SmartFilter works, sorry.

mike18
Level 7
Report Inappropriate Content
Message 7 of 11

Re: Replacing Network object - IP address with host

Jump to solution

Many thanks for the Reply

Regards

Mike

Highlighted
sliedl
Level 14
Report Inappropriate Content
Message 8 of 11

Re: Replacing Network object - IP address with host

Jump to solution

I was curious to how your environment is set up because of what you said about proxying.  If you have some application on your PCs that routes web traffic to a proxy based on destination (or some other device in the path to the firewall that makes this decision) then whatever is sent to the firewall should be allowed, correct?  That's just my guess as to what you meant.  If that's the case then it would seem you're making the same decision twice.  "If the PC is going to google.com, go to the firewall.  If not, then go to this other proxy device."  Then on the firewall you say "Is this going to google.com?," which is the same thing you just decided prior to the packet arriving at the firewall.

For Host objects, you have an example of google.com.  On my firewall, a dig for google.com returns 216.58.216.78 (the A record for google.com).  A dig for www.google.com returns 5 different 74.125.x.x IP addresses (the A records for the host "www" in the domain google.com).  You'd need two different Host objects depending on if someone typed google.com or www.google.com into their browser.  That's how Host (or Domain) objects can seemingly work and not-work at the same time.  Also, if your PCs do not use the firewall as their DNS server or they use a different DNS server than the firewall does you may get different, valid results for your DNS requests and then the traffic will fail.  The PC does a DNS request to DNS-server-A and gets 1.2.3.4 as a valid IP address for google.com and sends a request to the firewall.  The firewall then does its own DNS request to DNS-server-B and gets a valid response of 5.6.7.8 but then denies your traffic because the IPs don't match.  Both DNS responses are correct but they are different and traffic doesn't work.  That is something to consider when using Host and Domain objects.

mike18
Level 7
Report Inappropriate Content
Message 9 of 11

Re: Replacing Network object - IP address with host

Jump to solution

We have Mcafee Webgateway for url filtering allowing http/https traffic.

USer PC have PAC file that points to MCafee Webgateway for http/https traffic.

There are some exceptions in our PAC file that say for certain https sites do not go via Mcafee webgateway instead go directy to Internet.

On Mcafee Firewall we have 2 rules to allow web traffic.

Rule for Exceptions for specfic websites come first to allow http/https traffic  to these certian sites only.

The another general rule to allow all http traffic for any sites with smartfilter enabled.

Regards

Mike

sliedl
Level 14
Report Inappropriate Content
Message 10 of 11

Re: Replacing Network object - IP address with host

Jump to solution

Yeah, so you're making the same decision twice.  If you'd like to use Host or Domain objects then take into consideration all the things I've said about them.  Another thing to consider is that if you use Host or Domain objects and all your DNS resolution stops working (your internal DNS server goes down let's say) this can cause, in some instances, all of the firewall policy to stop working while the ACL-daemon (acld) waits for responses from the Host-daemon (hostd) on whether example.com resolves to 2.3.4.5 or not.  While acld is waiting for hostd it may not be able to process any other requests.  In the latest version of the firewall there are measures to prevent this, but a large number of objects that require DNS resolution and that resolution failing can cause performance problems on the firewall.

You are using SmartFilter and it Allows and Denies both HTTP and HTTPS so you can use it in your setup.  You can put custom sites into Whitelist categories for example.  The HTTP proxy also has its own URL control (under the HTTP URL Control tab in the App. Defense) that can Allow or Deny based on string matches (this won't work for HTTPS sites, though, as the firewall only sees the IP address and not the URL since the session is encrypted).

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community