How To Allow NTP ONLY To Pool. - LIVEcommunity - 351937

Trang chủ » Http://0.nl.pool.ntp.org/ » How To Allow NTP ONLY To Pool. - LIVEcommunity - 351937

Có thể bạn quan tâm

Hi @jlieberman ,

Lets begin with you second approach. As you know NTP protocol doesn't use any kind of URL, so basically URL category can be used only with http based applications that actually have URL in the data. If you put URL category to your rule (not as URL filtering profile), this become additional matching criteria. Since the URL is part of the application data, your rule will most likely allow the the initial connection to be established (in order for the FW to gather enough information to identify the URL), once it detect the URL it will again evaluate your rule and if it is different from the defined it will no longer match with this rule and search for new rule match eventually hitting your deny all.

But as I mentioned at the beginning NTP doesn't use any URL and it is using UDP, so the rule will allow the ntp request and responde to pass through since it is trying to gather enough information to detect the url you defined, but since it is UDP and the actual reply is in the second packet you have fully working ntp.

Now for your first approach. When you create FQDN object and use it in a rule the firewall will start periodically asking its DNS to resolve the FQDN to IP address. The IP address/es from the reply are the one that firewall will use as destination IP for matching criteria for your rule. When DNS reply the FW will cache the response for configurable amount of time and periodically will check for update.

According to this document event if DNS return all 500+ addresses, the FW will use only the first 32 - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVqCAK

As you can imagine when host or another device want to sync with NTP it will first resolve the fqdn to ip address and send ntp request to one of the first ip addresses.

So for me it sounds that FQDN object as destination address is exactly what you need. Can you elaborate a bit more what do you mean by "This doesn't work as there are like 500+ ips behind that pool"

- You want to allow all 500+ IPs at the same time? Do you really need all of them?

- Or you are concerned that you allow too many addresses?

Từ khóa » Http://0.nl.pool.ntp.org/