Configuring Fortinet/Panorama/Check Point Resolution and Caching FQDN Object IPs

Overview

Example

<fqdn> 
    <fw_response_cache> 
	<!-- Activates only cache. FQDN is always on -->
	<active>true</active>
	<max_minutes>1440</max_minutes> 
    </fw_response_cache> 
    <dns>
	<!-- Activates DNS resolution. If active - it is always cached -->
	<active>false</active> 
	<max_minutes>10080</max_minutes> 
    </dns> 
    <exclude_fqdn_info_from_reports>false</exclude_fqdn_info_from_reports>
</fqdn>

When devices can resolve FQDN objects, you can configure SecureTrack to cache these IPs. Additionally, SecureTrack can use a local DNS server when encountering unresolved FQDN objects.

There are three flags in StConf:

  • fw_response_cache (active and max_minutes): Enables caching of resolved FQDN results.

  • dns (active and max_minutes): Enables a local DNS server as a fallback for unresolved FQDN objects.

  • exclude_fqdn_info_from_reports: Removes resolved IPs from revisions' diff calculation for FQDN devices.

When you configure these flags to use the local DNS, if there are FQDN objects which have not been resolved by the device, SecureTrack will query the local DNS once for each specific FQDN object, and then cache the results. You can configure the refresh period for the FQDN cache service. The default value for refreshing the cache is 24 hours.

The option in StConf affects all the Panorama, Check Point, and FortiManager devices managed in SecureTrack.

Prerequisites

To enable configuration for resolving FQDN objects, you must be logged into SecureTrack as a user with the relevant admin user role and access rights.

Configure Fortinet/Palo Alto Panorama/Check Point to Resolve FQDN Objects

  1. Navigate to: https://<SecureTrack_IP>/securetrack/admin/stcgitest.htm

  2. Navigate to Edit StConf > Fetch StConf.

  3. In the StConf file, navigate to the <fqdn> section and verify that the <fw_response_cache>, <dns>, and <exclude_fqdn_info_from_reports> flags are present.

    If not, insert them manually into the <fqdn> section.

  4. Set the <fw_response_cache> flag to enable caching of device FQDN object resolution: 

    • false (default): Query the device each time to get FQDN object resolution.

    • true: Cache the returned FQDN resolution by the device.

  5. Set the <dns> flag to enable a local DNS server as a fallback for unresolved FQDN objects by device: 

    • false (default): Do not use the DNS server to handle unresolved FQDN objects.

    • true: Use the DNS server to resolve FQDN objects that were unresolved by the device.

  6. Set the <exclude_fqdn_info_from_reports> flag to dismiss new revisions that contain only FQDN object resolution changes: 

    • false (default): Keep revisions that contain only FQDN object resolution changes.

    • true: Dismiss new revisions that contain only FQDN object resolution changes.

  7. Configure the time interval (in minutes) for which the resolved FQDN objects will be saved in cache.

    <max_minutes>10080</max_minutes>

  8. Click Submit New Conf.