topic Re: Wildcard fqdn not matching R80.40 in Firewall and Security Management

Wildcard fqdn not matching R80.40

nw-team01 — Wed, 14 Oct 2020 13:54:22 GMT

Hi,

I have a problem using wildcard fqdn's in R80.40, here is the exact issue:

DE-FRA-ANX-P002.teamviewer.com

will not match to: .*.teamviewer.com or .*teamviewer.com or .teamviewer.com

No matter what combination i try, all traffic towards teamviewer.com ends up in the cleanup rule.

Similar issues with other domains also: .*citrixonline\.*, .*gotomeeting\.*...

Can anyone help me with this?

Re: Wildcard fqdn not matching R80.40

PhoneBoy — Wed, 14 Oct 2020 14:04:23 GMT

What precise object type are you using to create this?
Perhaps a screenshot would help.

If it’s a Domain object, this won’t work at all since that relies on reverse DNS which is almost never going to resolve to the correct name.
If it’s a Custom Application/Site, then it will only work for HTTP/HTTPS traffic.

I’m also pretty sure we have an App Control definition for TeamViewer which I recommend instead.

Re: Wildcard fqdn not matching R80.40

nw-team01 — Wed, 14 Oct 2020 14:20:07 GMT

So i gather that domain Objects are not the way to got with this.

i'm glad you mentioned App Control definition for TeamViewer, i was going to make a separate post for this. As using this results in a permit any for all ports matched in the App Control definition for TeamViewer. Including http and https.

Connections are permitted with this reason:

Connection terminated before detection: Insufficient data passed.
To learn more see sk113479.

I've atached some screenshots.

Thanks for your help.

Re: Wildcard fqdn not matching R80.40

PhoneBoy — Thu, 15 Oct 2020 03:33:18 GMT

That’s the way App Control works: some traffic has to be allowed on the relevant ports for TeamViewer in order to determine it’s actually TeamViewer.
If the connection terminates before we’ve made a determination, which usually requires a few packets, then yes, that connection will be allowed.

What is your precise goal here?
Is it to allow access to TeamViewer’s website, using the TeamViewer application, or?
The TeamViewer website may require a different rule than the Application Signature, which is more for the TeamViewer application itself.

Re: Wildcard fqdn not matching R80.40

_Val_ — Thu, 15 Oct 2020 06:53:26 GMT

FQDN is not a wildcard, is it?

Re: Wildcard fqdn not matching R80.40

nw-team01 — Thu, 15 Oct 2020 07:41:46 GMT

Yes, i have now learned that wildcard fqdn's dont work.

My goal is to get teamviewer working again. Something on the end user PC's changed and the proxy settings are ignored, of course no one knows why. And only our Sites in Romania are affected.

I've just tested again using the App Control definition for TeamViewer, that works fine for me.

Slightly off topic here, but regarding fqdn's. I use the ip block tool described in sk103154 and beside some dynamic feeds i also feed a list (attached) of fqdn's and IP's that i manually edit. That should be fine i hope when not using wildcards..?