Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policies by FQDN WatchGuard Training.

Published byClarence Richards Modified over 9 years ago

Similar presentations

Presentation on theme: "Policies by FQDN WatchGuard Training."— Presentation transcript:

1 Policies by FQDN WatchGuard Training

2 Policies by FQDN RFE36954: Ability to use FQDN in policies and blocked sites lists RFE27064: Ability to use FQDN in From and/or To field in policies RFE79740: Ability to use FQDN in From and/or To field in policies WatchGuard Training

3 Policies by FQDN What it is… What it isn’t…
FQDN as part of the source and/or destination of a policy FQDN as part of an alias FQDN for a blocked site FQDN for a blocked site exception Wildcards for the host on a domain (*.example.com) What it isn’t… FQDN resolved to IPv6 addresses FQDN for server configurations (Log Server, SSO Agent, etc.) WatchGuard Training

4 Use Cases WatchGuard Training

5 Use Cases Allow traffic to a specific domain using a separate policy
Allow traffic to software update sites such as windowsupdate.microsoft.com or antivirus signature update sites, even though all other traffic is blocked. This is especially useful when these sites are hosted on content delivery networks (CDNs) that frequently add and change IP addresses. Deny traffic to a specific domain Deny all traffic from CDE (Cardholder Data Environment) but allow signature updates For PCI compliance traffic from the CDE must be restricted, however allowing critical updates is still necessary. Many of the services that need to be allowed are also using CDNs WatchGuard Training

6 Configuration WatchGuard Training

7 FQDN in Policies When modifying the To or From fields in a policy,
FQDN is now listed in after selecting Add > Add Other This allows the configuration of a FQDN and can include a single leading wildcard. WatchGuard Training

8 FQDN in Aliases FQDN members can also be added to aliases, which are then used in policies. WatchGuard Training

9 FQDN in Blocked Sites (and Exceptions)
FQDN members can also be added to the blocked sites, and blocked sites exceptions lists. WatchGuard Training

10 FQDN in Logging Logging will show the FQDN that was matched in the logs when a policy is applied to traffic by FQDN. WatchGuard Training

11 FQDN in Reporting Reporting will show the FQDN that was matched when the policy was applied to traffic by FQDN. WatchGuard Training

12 FQDN in Reporting Blocked Sites will identify the IP addresses blocked by FQDN included in the configuration. WatchGuard Training

13 How does this work? WatchGuard Training

14 Forward Lookups When a user configures a domain name, the system will perform forward DNS resolution and store the mapping. Clients and the Firewall should use the same name servers. For example: Non-authoritative answer: Name: Address: Address: Address: Address: Address: Address: WatchGuard Training

15 Why not Reverse lookups?
It is natural to think that we might be able to perform reverse DNS resolution on the source or destination IP when receiving a traffic, and see if the resolved FQDN matches the configuration. Unfortunately, reverse DNS resolution might not always work. Quite commonly, the reverse DNS resolution result is not what you might expect. For example: (from our previous lookup to Non-authoritative answer: in-addr.arpa name = pa-in-f147.1e100.net. WatchGuard Training

16 What about Wildcards? With Wildcards we do forward lookups for www and the domain itself For example: *.google.com we resolve and google.com To resolve the rest of the hosts implied by *.google.com, we implement DNS sniffing for A records that match our configuration. As DNS traffic passes through the firewall, we learn the responses to relevant queries. WatchGuard Training

17 What happens when don’t we see responses?
As seen here, if the clients are trying to reach an internal destination with an internal name server, the firewall may not have an opportunity to sniff this traffic for local servers. We recommend that internal name servers are on a different internal network than clients to ensure the firewall can see responses from the server. WatchGuard Training

18 Thank You! WatchGuard Training

Download ppt "Policies by FQDN WatchGuard Training."

Similar presentations

What’s New in Fireware XTM v11.3.2

What’s New in Fireware XTM v11.3.2
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Implementing Domain Name System

Implementing Domain Name System
Web Server Administration Chapter 4 Name Resolution.

Web Server Administration Chapter 4 Name Resolution.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.

DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
Domain Name System: DNS

Domain Name System: DNS
DOMAIN NAMING SYSTEM (AN OVERVIEW) By -DEEPAK. Topics --DNS What is DNS? Purpose of DNS DNS configuration files.

DOMAIN NAMING SYSTEM (AN OVERVIEW) By -DEEPAK. Topics --DNS What is DNS? Purpose of DNS DNS configuration files.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Fortinet Single Sign On

Fortinet Single Sign On
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
DNS Domain Name Service References: Wikipedia 1.

DNS Domain Name Service References: Wikipedia 1.
Department Of Computer Engineering

Department Of Computer Engineering
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.

Similar presentations

Ads by Google