Topic: Public IP address to DNS mapping - Juniper Firewall

[jkdave82]

Hello Group,

I am facing difficulty in making rules for dynamically change public IP address in my juniper firewall. my question is that is it possible in any flavour of juniper firewall in which the facility is given to resolve the DNS name with its IP address. some of my internal subnets have to download latest paches from antivirus sites whose server's IP keeps on changing as they are located on public subnet. so every time I have to change them by looking at their nslookup and make/change rules accordingly. this is very tiresome task for me. as for example - antivirus software is liveupdate.symantec.com and its ip is 63.24.57.101 so I made rule in firewall as per IP address but another day the public IP gets changed to 124.237.35.105 so in that scenario - can I make rule in firewall only with entry liveupdate.symantec.com in destination tab and it will be redirect to its respective IP address lyied in internet automatically. if its possible please let me know and in which platform of SSG firewall it is possible - I am using currently SSG550M in my environment.

Thanks in Advance,
J K D

[goojopa]

Yes. Assuming you have the firewall already configured with DNS servers (under Network->DNS->Host) and with DNS refresh turned on, you can create the address object as a domain name instead of an IP address. We do it all of the time.

[jkdave82]

Hi goojopa,
Thanks for your reply,

I am using SSG550M and I have searched in its NSM from where I am creating pushing policy to production firewall that such path is not available. under Network->DNS->Host. what I have is - configure--> predefined policies--> dns_server . can I do entry of my dns in it.

for which model no. you are talking about. please share.

[goojopa]

We do this on everything from the SSG 5 to the ISG 1000 models.

To set up the DNS servers through NSM, double-click the device and then go to Network->DNS->Settings. That is also where you set up how often the firewall will refresh its DNS cache. Click Ok (or Save - I don't remember) out of that screen.

Then go to Object Manager->Address Objects and add (or edit) your object and click the Domain Name circle and type in the fully qualified domain name at the bottom. Save/Ok/Apply (whatever it is) and then update your firewall and it should work.

This works really well for sites like google and yahoo that will return seven or eight IP addresses. And it also works for what you want to do - sites that change their IP address - as long as you have your refresh set for an appropriate interval. We have talked about lowering our refresh interval from four hours to one but haven't gotten around to it yet.

Hope that helps.