AnsweredAssumed Answered

dynamic access policy using "Identity Awareness" infrastructure

Question asked by Hans van den Boomen Employee on Oct 19, 2016
Latest reply on Oct 28, 2016 by Quinne41a9893-0917-4fe7-8d41-2f36826848bc

I would like to accomplish the following;

 

Build a script that will poll a DNS server for a domain (www.example.com or microsoft.com)

And then use the response (host/user object) of the DNS server to update the security gateway firewall policy.

Preferrably I would like to give the ‘host/user object’ a timeout settings so it will dissapear from the policy automatically.

In order to accomplish the timeout feature my idea was to use the Identity Awareness functionality (the same infrastructure used when integrating with Active Directory and VMWare NSX).

 

The main reason for doing this is to build a dynamic policy based on DNS. So the firewall policy is periodically updated with the latest ip-addresses retreived from the DNS server.

I get quite some customers asking a more dynamic firewall policy. Our current domain objects are not suitable for this. And the new R80.10 feature will not provide this as well (as far as I understand now)

 

Perhaps the above can be used to accomplish this.

Is this possible using R80 and the REST API’s?

 

I've seen a "R80 dynamic DNS rule auto update" script. But I don't think this is using timeout settings and is only for 1 host object (ip-addres)

Outcomes