1 2 Previous Next 10 Replies Latest reply on Mar 13, 2015 7:35 PM by mike18

    Replacing Network object - IP address with host


      Hi all,


      For few websites we have NEtwork objects type  IP addresses.

      As wesbite IP address changes we need to change it on firewall so users are able to access it again

      Will replacing the NEtwork object type with Host fix this issue forever as long as our DNS is working ?

      I am going to make new Network Object  type Host if  i do that

      then do i also need to Put IP under TAB

      IP addess for the  host?




      OR DNS will take care of that automatically?





      Message was edited by: Mike

        • 1. Re: Replacing Network object - IP address with host

          If you are trying to prevent people from going to certain sites you should use SmartFilter.  You should not be creating rules that allow people to only go to certain sites.  The vast majority of websites load content on their webpages from other sites that don't resolve to the same IP as the page you initially requested.  If you try to lock down your rules to specific Hosts you are going to break pretty much every site you browse to.  My suggestion is to never use Host or Domain objects unless its for internal sites for which you control the DNS responses.  Although we rely on the DNS and it (knock-on-wood) usually works, it is inherently unreliable.


          For example, Domain objects rely on reverse-DNS.  For Domain objects to work the administrator of the DNS for that domain has to have added the correct reverse-DNS entries into their system for all of their hosts.  This means your policy-decisions are based on the fact that you hope someone else has configured their systems correctly in order for your policy to work how you've configured it.

          • 2. Re: Replacing Network object - IP address with host

            These are the webites that we do not to go via Proxy.

            So on Firewall we have created Rule to allow users to access these websites.


            We have created Netgroup with list if web sites IP addresses.


            How can i use smartfilter to allow users to access these webites without any issues i mean if website IP address changes?



            • 3. Re: Replacing Network object - IP address with host

              Without knowing how your environment is designed I can't give you any advice.

              • 4. Re: Replacing Network object - IP address with host

                IF you can tell just this if i create smart filter then how i define those website IP addresses that will be great?

                • 5. Re: Replacing Network object - IP address with host

                  That's not how SmartFilter works, sorry.

                  • 6. Re: Replacing Network object - IP address with host

                    Many thanks for the Reply




                    • 7. Re: Replacing Network object - IP address with host

                      I was curious to how your environment is set up because of what you said about proxying.  If you have some application on your PCs that routes web traffic to a proxy based on destination (or some other device in the path to the firewall that makes this decision) then whatever is sent to the firewall should be allowed, correct?  That's just my guess as to what you meant.  If that's the case then it would seem you're making the same decision twice.  "If the PC is going to google.com, go to the firewall.  If not, then go to this other proxy device."  Then on the firewall you say "Is this going to google.com?," which is the same thing you just decided prior to the packet arriving at the firewall.


                      For Host objects, you have an example of google.com.  On my firewall, a dig for google.com returns (the A record for google.com).  A dig for www.google.com returns 5 different 74.125.x.x IP addresses (the A records for the host "www" in the domain google.com).  You'd need two different Host objects depending on if someone typed google.com or www.google.com into their browser.  That's how Host (or Domain) objects can seemingly work and not-work at the same time.  Also, if your PCs do not use the firewall as their DNS server or they use a different DNS server than the firewall does you may get different, valid results for your DNS requests and then the traffic will fail.  The PC does a DNS request to DNS-server-A and gets as a valid IP address for google.com and sends a request to the firewall.  The firewall then does its own DNS request to DNS-server-B and gets a valid response of but then denies your traffic because the IPs don't match.  Both DNS responses are correct but they are different and traffic doesn't work.  That is something to consider when using Host and Domain objects.

                      • 8. Re: Replacing Network object - IP address with host

                        We have Mcafee Webgateway for url filtering allowing http/https traffic.

                        USer PC have PAC file that points to MCafee Webgateway for http/https traffic.

                        There are some exceptions in our PAC file that say for certain https sites do not go via Mcafee webgateway instead go directy to Internet.


                        On Mcafee Firewall we have 2 rules to allow web traffic.

                        Rule for Exceptions for specfic websites come first to allow http/https traffic  to these certian sites only.


                        The another general rule to allow all http traffic for any sites with smartfilter enabled.



                        • 9. Re: Replacing Network object - IP address with host

                          Yeah, so you're making the same decision twice.  If you'd like to use Host or Domain objects then take into consideration all the things I've said about them.  Another thing to consider is that if you use Host or Domain objects and all your DNS resolution stops working (your internal DNS server goes down let's say) this can cause, in some instances, all of the firewall policy to stop working while the ACL-daemon (acld) waits for responses from the Host-daemon (hostd) on whether example.com resolves to or not.  While acld is waiting for hostd it may not be able to process any other requests.  In the latest version of the firewall there are measures to prevent this, but a large number of objects that require DNS resolution and that resolution failing can cause performance problems on the firewall.


                          You are using SmartFilter and it Allows and Denies both HTTP and HTTPS so you can use it in your setup.  You can put custom sites into Whitelist categories for example.  The HTTP proxy also has its own URL control (under the HTTP URL Control tab in the App. Defense) that can Allow or Deny based on string matches (this won't work for HTTPS sites, though, as the firewall only sees the IP address and not the URL since the session is encrypted).

                          1 2 Previous Next