3XLcom
asked on
Juniper SSG 520 domain names
is it possible to see and save domain names on a mysql server that called from the juniper trusted network
ASKER
but as i know syslog just record the ip addresses how should i get domain names also do you advice me any good syslog program that records to mysql i use kiwi for my cisco but it does not save in to mysql
Sorry bud. Can't help you there I'm afraid but I would start at using a Linux server running either syslog or syslog- thus should give you a baseline for importing the logs into MySQL using scripts
Sorry I can't be more help for now but I would suggest you ask the question again in another zone to attract the right experts.
HTH
Sorry I can't be more help for now but I would suggest you ask the question again in another zone to attract the right experts.
HTH
ASKER
ok forget about the mysql
just help me to get domain names list that request come from untrusted to trusted with success i mean correctly pointed domain names
just help me to get domain names list that request come from untrusted to trusted with success i mean correctly pointed domain names
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Does your firewall rule specify the addresses as domain names or ip addresses ?
I am not sure if it is possible with ssg 520
If it's ip addresses then try to specify another rule with a domain name just to see if te logs show anything different.
I do not know how to get different logs if you show me one i would be glad
I am not sure if it is possible with ssg 520
If it's ip addresses then try to specify another rule with a domain name just to see if te logs show anything different.
I do not know how to get different logs if you show me one i would be glad
Yes, its possible to use a FQDN as an address object but you must have a working DNS server configured.
Simply add a new address object for the domain names that you want to monitor and use these objects in a firewall rule.
Note, that the logs may still only refer to the actual IP in the connection but its worth trying.
Simply add a new address object for the domain names that you want to monitor and use these objects in a firewall rule.
Note, that the logs may still only refer to the actual IP in the connection but its worth trying.
ASKER
in my juniper's web ui under objects part there are only this options :
Objects
Users
Local
Local Groups
External Groups
IP Pools
Certificates
i should find what to do in there ?
Objects
Users
Local
Local Groups
External Groups
IP Pools
Certificates
i should find what to do in there ?
Under Policy > Policy Elements > Addresses > List, add the new address object there in the correct zone and then use this object in a policy
ASKER
You mis understand me that is not what i ask. I do not know domain names in my network we have nearly 100 server rented. and we want to see what our customers do. so we do not know domain names and want to find out from juniper
then we cant do this on the firewall I'm afraid
If you want to obtain that type of information then buy a proper proxy to do this
If you want to obtain that type of information then buy a proper proxy to do this
ASKER
I've talked to the sonic wall team before they told this we should do it with only a firewall because it reads packages .
please note that i am not searching for outgoing connections i am looking for incoming connections so proxy should not work in my opinion
please note that i am not searching for outgoing connections i am looking for incoming connections so proxy should not work in my opinion
The get a sonicawall firewall, screenos does not do what you want
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
ASKER
Qelmo what if an ip has more then one web site. your solution seems like it is works only if reverse dns address only web site with fqdn that exist on the ip
You are demanding too much. The firewall knows only of the IP address. Else you have to record every URL (or at least the root part) used, and that cannot be done by the firewall itself. Only proxy services are able to do that, e.g. a Web Proxy, WebSense or the like. And that would only work for HTTP traffic anyway, because HTTPS is encrypted, and other protocols are using different addressing.
I have started accepting comments because they answer your question. Q: "Is it possible", A: "No". The comments provide workarounds for resolving domain names according to the simple task to reverse-resolve domain names.
I have started accepting comments because they answer your question. Q: "Is it possible", A: "No". The comments provide workarounds for resolving domain names according to the simple task to reverse-resolve domain names.
Sadly, screenos cannot import these logs directly to a mysql database, you will need send thesse logs to a server via syslog then import them from there, but that is outwith the abilities of the firewall sadly