Community discussions

MikroTik App
 
User avatar
Kelalatir
newbie
Topic Author
Posts: 42
Joined: Mon Feb 29, 2016 7:22 pm

Whitelist by URL for 5 Cisco domains

Mon Dec 05, 2022 2:25 am

Greetings Mikrotik Forum,

My organization recently subsribed to using Cisco Webex video conferencing. In the setup guide, Cisco recomends white listing the following items in our firewall:
Port access for HTTPS or secure web sockets outbound from Expressway to *.ciscospark.com, *. rackcdn.com, *.wbx2.com, *.webex.com, and *.webexcontent.com: TCP port 443 (secure).

I opened a support ticket with Cisco asking for IP ranges for these domains, and according to Cisco support:
Please note that “filtering Webex signalling traffic using IP addresses is not supported, as the IP addresses used by Webex signalling services are dynamic and may change at any time.”
The only option is to configure the firewall to allow the Webex destination URLs.
I've reviewed several other posts on this forum about blocking websites via URL. One post said to use layer 7 filtering, but several more posts said layer 7 filtering is too intensive. I'm using various cloud core routers, but if I get this to work, I'll need to add it to 5 different Mikrotik routers to cover our various sites. Another post said to use the "TLS Host" option in the advance filter rule tab, but later in that thread it was discovered TLS 1.3 doesn't work with the TLS Host.

A lot of the "match URL" topics are specific cases, and it seems solutions may be varied depending on the specific case. It appears there is not easy way to a DNS lookup per packet or even per connection to match a URL that isn't hugely resource intensive, and that makes sense technically. In this case, I know the nature of port 443 encryption also adds a layer of complexity.

Does anyone have a good workaround? What about a script that does some kind of DNS lookup once a day to update an address list for the domains listed above? While IPs are dynamic, and can theoretically change at any moment, practically I imagine the bulk of the IPs don't change from day to day, and this might work with only an occasional false negative block.

Any suggestions or links to a solution or workaround would be most appreciated. I know this is an oft requested topic, and I appreciate anyone willing to discuss it with me.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Whitelist by URL for 5 Cisco domains

Mon Dec 05, 2022 5:26 am

Address list supports hostnames, but it's useless for wildcards, because it resolves given hostnames, and it can't resolve all possible combinations.

But they recently added this interesting thing:

viewtopic.php?p=952360#p952360

I didn't see any official word about it, what was their intention, but it seems that it can be used for what you want.
 
User avatar
Kelalatir
newbie
Topic Author
Posts: 42
Joined: Mon Feb 29, 2016 7:22 pm

Re: Whitelist by URL for 5 Cisco domains

Wed Dec 07, 2022 8:32 am

Thank you for the reply, Sob. I'm excited to try creating the address lists dynamically during DNS lookups. This may indeed solve my issue.

First I have to upgrade all my routers from the version 6 stable to the version 7 stable branch. Since the upgrade breaks OSPF, I have to carefully manage each upgrade to avoid losing network segments, so this may take me a little while. Then I can test the new dns match subdomain feature. I'm glad they included the feature in the 7.6 stable release. I'll report my findings back here once I'm done.

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot] and 83 guests