topic Re: Allow rule for site hosted on akamai CDN, only the first dns response seems to work in General Topics

Allow rule for site hosted on akamai CDN, only the first dns response seems to work

Ruud — Fri, 27 Jun 2025 13:20:25 GMT

Hi Guys,

Our server techs requested that i allow their iDrac devices https access to the url downloads.dell.com to download their updates.
downloads.dell.com however is hosted on the akamai cdn network, so there are a lot of servers behind that url.

It works using the url as a firewall object, but only for 1 akamai server, the rest is blocked. It seems like only the ip address of the server that was received on the initial DNS request works, as this remains in the cache. The iDracs however are trying to connect multiple akamai servers, which will be blocked. (no clue how the iDracs do get a list of hosts on that url)

I could create a firewall object containing a list of known akamai servers to resolve this, but that list will change all the time, and it's not a given that all of these servers will host the dell download files.

I have seen this before when creating rules for servers on azure etc.

Is there a neat way to resolve this ? Perhaps a firewall object that dynamically checks the server ranges from akamai etc ?

Re: Allow rule for site hosted on akamai CDN, only the first dns response seems to work

PhoneBoy — Fri, 27 Jun 2025 17:08:51 GMT

When you say "URL as a firewall object" please clarify which object type was used here.
Also clarify version/JHF in use.

Re: Allow rule for site hosted on akamai CDN, only the first dns response seems to work

Ruud — Mon, 30 Jun 2025 04:50:06 GMT

I created a new "domain" entry in the object explorer : .downloads.dell.com

Re: Allow rule for site hosted on akamai CDN, only the first dns response seems to work

Chris_Atkinson — Mon, 30 Jun 2025 06:52:43 GMT

Do the gateways and requesting client use the same DNS server settings and resolve it the same way?

Additionally which version/JHF is the gateway in question?

Re: Allow rule for site hosted on akamai CDN, only the first dns response seems to work

PhoneBoy — Mon, 30 Jun 2025 16:27:18 GMT

Unless your gateway and clients are using the exact same DNS server (and getting the same results), this object type won't work well.
There are other options that might work better, and I cover them in the Web Filtering Best Practices session I periodically run.

Re: Allow rule for site hosted on akamai CDN, only the first dns response seems to work

the_rock — Mon, 30 Jun 2025 19:28:12 GMT

Make sure its checked as fully qualified domain name.

Andy

Re: Allow rule for site hosted on akamai CDN, only the first dns response seems to work

Ruud — Tue, 01 Jul 2025 06:44:06 GMT

We run r81.20 at our gateways. But the DNS server thing might be the issue.

Our server guys are renewing their server infrastructure and started using new DNS servers, but the network equipment hasn't been changed yet. So, this is a good reason to pick up that task for sure.

Going to look at Phoneboys session for sure as well.

Thanks for your responses guys !