Policies by FQDNPolicies by FQDN
RFE36954: Ability to use FQDN in policies and blocked sites lists RFE27064: Ability to use FQDN in From and/or To field in policies RFE79740: Ability to use FQDN in From and/or To field in policies
WatchGuard Training 22
Policies by FQDNPolicies by FQDN
What it is…• FQDN as part of the source and/or destination of a policy
• FQDN as part of an alias
• FQDN for a blocked site
• FQDN for a blocked site exception
• Wildcards for the host on a domain (*.example.com)
What it isn’t…• FQDN resolved to IPv6 addresses
• FQDN for server configurations (Log Server, SSO Agent, etc.)
WatchGuard Training 33
Use CasesUse Cases
WatchGuard Training 55
Allow traffic to a specific domain using a separate policy• Allow traffic to software update sites such as
windowsupdate.microsoft.com or antivirus signature update sites, even though all other traffic is blocked. This is especially useful when these sites are hosted on content delivery networks (CDNs) that frequently add and change IP addresses.
Deny traffic to a specific domain Deny all traffic from CDE (Cardholder Data Environment) but
allow signature updates• For PCI compliance traffic from the CDE must be restricted, however
allowing critical updates is still necessary. Many of the services that need to be allowed are also using CDNs
FQDN in PoliciesFQDN in Policies
WatchGuard Training 77
When modifying the To or From fields in a policy,
FQDN is now listed in after selecting Add > Add Other
This allows the configuration of a FQDN and can include a single leading wildcard.
FQDN in AliasesFQDN in Aliases
WatchGuard Training 88
FQDN members can also be added to aliases, which are then used in policies.
FQDN in Blocked Sites (and Exceptions)FQDN in Blocked Sites (and Exceptions)
WatchGuard Training 99
FQDN members can also be added to the blocked sites, and blocked sites exceptions lists.
FQDN in LoggingFQDN in Logging
WatchGuard Training 1010
Logging will show the FQDN that was matched in the logs when a policy is applied to traffic by FQDN.
FQDN in ReportingFQDN in Reporting
WatchGuard Training 1111
Reporting will show the FQDN that was matched when the policy was applied to traffic by FQDN.
FQDN in ReportingFQDN in Reporting
WatchGuard Training 1212
Blocked Sites will identify the IP addresses blocked by FQDN included in the configuration.
Forward LookupsForward Lookups
WatchGuard Training 1414
When a user configures a domain name, the system will perform forward DNS resolution and store the mapping.• Clients and the Firewall should use the same name servers.
• For example: www.google.comNon-authoritative answer:Name: www.google.comAddress: 74.125.25.104Name: www.google.comAddress: 74.125.25.105Name: www.google.comAddress: 74.125.25.147Name: www.google.comAddress: 74.125.25.99Name: www.google.comAddress: 74.125.25.106Name: www.google.comAddress: 74.125.25.103
Why not Reverse lookups?Why not Reverse lookups?
WatchGuard Training 1515
It is natural to think that we might be able to perform reverse DNS resolution on the source or destination IP when receiving a traffic, and see if the resolved FQDN matches the configuration.
Unfortunately, reverse DNS resolution might not always work. Quite commonly, the reverse DNS resolution result is not what you might expect.• For example: 74.125.25.147 (from our previous lookup to
www.google.com)Non-authoritative answer:147.25.125.74.in-addr.arpa name = pa-in-f147.1e100.net.
What about Wildcards?What about Wildcards?
WatchGuard Training 1616
With Wildcards we do forward lookups for www and the domain itself• For example: *.google.com
we resolve www.google.com and google.com
To resolve the rest of the hosts implied by *.google.com, we implement DNS sniffing for A records that match our configuration.• As DNS traffic passes through the firewall, we learn the responses to
relevant queries.WG applaince
Local Client-1
Local Client-2
External DNS server
What happens when don’t we see responses?What happens when don’t we see responses?
WatchGuard Training 1717
As seen here, if the clients are trying to reach an internal destination with an internal name server, the firewall may not have an opportunity to sniff this traffic for local servers.• We recommend that internal name servers are on a different internal
network than clients to ensure the firewall can see responses from the server.
Local DNS server
WG applaince
a.wgti.netLocal Client-1
Local Client-2
b.wgti.net c.wgti.net
External DNS server