Policies by FQDNPolicies by FQDN

WatchGuard Training

Policies by FQDNPolicies by FQDN

RFE36954: Ability to use FQDN in policies and blocked sites lists RFE27064: Ability to use FQDN in From and/or To field in policies RFE79740: Ability to use FQDN in From and/or To field in policies

WatchGuard Training 22

Policies by FQDNPolicies by FQDN

What it is…• FQDN as part of the source and/or destination of a policy

• FQDN as part of an alias

• FQDN for a blocked site

• FQDN for a blocked site exception

• Wildcards for the host on a domain (*.example.com)

What it isn’t…• FQDN resolved to IPv6 addresses

• FQDN for server configurations (Log Server, SSO Agent, etc.)

WatchGuard Training 33

Use CasesUse Cases

WatchGuard Training 44

Use CasesUse Cases

WatchGuard Training 55

Allow traffic to a specific domain using a separate policy• Allow traffic to software update sites such as

windowsupdate.microsoft.com or antivirus signature update sites, even though all other traffic is blocked. This is especially useful when these sites are hosted on content delivery networks (CDNs) that frequently add and change IP addresses.

Deny traffic to a specific domain Deny all traffic from CDE (Cardholder Data Environment) but

allow signature updates• For PCI compliance traffic from the CDE must be restricted, however

allowing critical updates is still necessary. Many of the services that need to be allowed are also using CDNs

ConfigurationConfiguration

WatchGuard Training 66

FQDN in PoliciesFQDN in Policies

WatchGuard Training 77

When modifying the To or From fields in a policy,

FQDN is now listed in after selecting Add > Add Other

This allows the configuration of a FQDN and can include a single leading wildcard.

FQDN in AliasesFQDN in Aliases

WatchGuard Training 88

FQDN members can also be added to aliases, which are then used in policies.

FQDN in Blocked Sites (and Exceptions)FQDN in Blocked Sites (and Exceptions)

WatchGuard Training 99

FQDN members can also be added to the blocked sites, and blocked sites exceptions lists.

FQDN in LoggingFQDN in Logging

WatchGuard Training 1010

Logging will show the FQDN that was matched in the logs when a policy is applied to traffic by FQDN.

FQDN in ReportingFQDN in Reporting

WatchGuard Training 1111

Reporting will show the FQDN that was matched when the policy was applied to traffic by FQDN.

FQDN in ReportingFQDN in Reporting

WatchGuard Training 1212

Blocked Sites will identify the IP addresses blocked by FQDN included in the configuration.

How does this work?How does this work?

WatchGuard Training 1313

Forward LookupsForward Lookups

WatchGuard Training 1414

When a user configures a domain name, the system will perform forward DNS resolution and store the mapping.• Clients and the Firewall should use the same name servers.

• For example: www.google.comNon-authoritative answer:Name: www.google.comAddress: 74.125.25.104Name: www.google.comAddress: 74.125.25.105Name: www.google.comAddress: 74.125.25.147Name: www.google.comAddress: 74.125.25.99Name: www.google.comAddress: 74.125.25.106Name: www.google.comAddress: 74.125.25.103

Why not Reverse lookups?Why not Reverse lookups?

WatchGuard Training 1515

It is natural to think that we might be able to perform reverse DNS resolution on the source or destination IP when receiving a traffic, and see if the resolved FQDN matches the configuration.

Unfortunately, reverse DNS resolution might not always work. Quite commonly, the reverse DNS resolution result is not what you might expect.• For example: 74.125.25.147 (from our previous lookup to

www.google.com)Non-authoritative answer:147.25.125.74.in-addr.arpa name = pa-in-f147.1e100.net.

What about Wildcards?What about Wildcards?

WatchGuard Training 1616

With Wildcards we do forward lookups for www and the domain itself• For example: *.google.com

we resolve www.google.com and google.com

To resolve the rest of the hosts implied by *.google.com, we implement DNS sniffing for A records that match our configuration.• As DNS traffic passes through the firewall, we learn the responses to

relevant queries.WG applaince

Local Client-1

Local Client-2

External DNS server

What happens when don’t we see responses?What happens when don’t we see responses?

WatchGuard Training 1717

As seen here, if the clients are trying to reach an internal destination with an internal name server, the firewall may not have an opportunity to sniff this traffic for local servers.• We recommend that internal name servers are on a different internal

network than clients to ensure the firewall can see responses from the server.

Local DNS server

WG applaince

a.wgti.netLocal Client-1

Local Client-2

b.wgti.net c.wgti.net

External DNS server

Thank You!Thank You!

WatchGuard Training 1818