LM wrote:
On a technical level, that may be. From a user level, it would seem to me that it should equate to the same thing...
I agree.
...will it still trigger on the IP address (provided it's still in that range).
I seem to remember, when I tried this before, it didn’t trigger an event. I will, however, test this again.
This is the key obstacle, I think. Can't tone down the AF, or the rules are overwritten with the more general entry; can't get around that.
I guess this is what I keep coming back to. The rule creation mechanism needs to be more granular, so that a host name entry will work, without triggering an event for each different IP.
gibran wrote:
Never mind, I made only a speculation. But all this is related to performance...
When I use host:www.google.com actually a range is specified in application monitor or network monitor... The point is if the firewall use the range or not. If it use the range when host field is specified it is important to know how this range is updated.
I haven’t tried the generic host name in testing, but I would imagine the results will be the same, as something like google.com is going to resolve to many different addresses.
The rough way to solve your issue is to log connections to pop.gmail.com using a topmost allow & log rule in network monitor with host pop.gmail.com or google ip range
Then analyze the data of 30 or more connections to guess the ip range or the ip list.
They could have assigned a range of IPs to that service or semi random-ip in their huge network range… I would use this way to track the IP.
I started to do something like that, but the address range is just too vast. The problem may also be compounded by geographical considerations.
(I did try ipconfig /dnsflush but I had no different results).
I don’t use the Windows DNS cache, I have the DNS Client Service disabled. I assume CFP does its own caching?
So you could try nslookup pop.gmail.com. but using this I got 1 Ip only...
I would assume that is a cache entry, as I always get the IP address of the last server I connected to.
BTW: I switched to very high and used host rule (host:www.google.com) but I got no alert, maybe I need to reboot to have the behaviour you described. would you mind to try Host:www.google.com to see if it is mapped as a range?
I’ll try this and see what happens, I’m curious…
One final thing. I said in an earlier post:
Yes. Essentially, every time a new IP is identified, a new rule is created, specifically for that address. If I modify the new rule to include the host name, the rule is then merged with any existing rules.
After further testing, this appears to be false! As an example I have a rule for pop.google.
tb.exe - pop.google.com [66.249.93.109 - 66.249.93.211] - 995 - TCP - Out - Allow
After checking my mail this afternoon I received a new prompt for 66.249.91.16. I modified the rule to include the host name but, CFP, after doing, what I can only assume was a host name lookup, removed the rule and it was not merged into the existing rule. Curious…
Toggie