FQDN Filter Profile¶
FQDN filtering helps in restricting access to external websites to a set of resources (VM/App instances). You can set it up such that only Instances tagged as Dev can go out to Social Networking and other sites but Instances tagged as Prod cannot go to those sites.
Create a FQDN Filter Profile to block/allow FQDNs. We will start with individual FQDNs and then add Categories of URLs. From the earlier traffic sessions, we verified curl commands fetch all the websites.
Step 1: Create Profile with Default Deny¶
Create a FQDN Profile to allow a specific FQDN and block all others
- Navigate to Manage -> Profiles -> FQDN Filtering
- Click Create
- Provide a name (e.g fqdn-tutorials)
- In the FQDN Lists table add www.example.com in the FQDNs/Categories text box
- Choose Allow Log in the Policy dropdow
- Change policy of the last row (FQDN ANY) to Deny Log
- Click Save
We will be using this FQDN Filtering Profile throughout this tutorials
Step 2: Attach FQDN Profile to Policy¶
- Click Manage -> Security Policies -> Rules
- Find the ruleset name that's associated with the Egress Gateway
- Click the ruleset name
- From the earlier sections there are 2 rules in the ruleset:
- any-egress-http
- any-egress-https
- We will be testing the FQDN profile with TLS (https) traffic
- Click the table row any-egress-https and click Edit
- In the editor panel, select the FQDN Filter Profile fqdn-tutorials and click Save to save the rule
- Click Save to save the ruleset
- The rule shows fqdn-tutorials as a profile in the rules table
Step 3: Traffic Test for Default Deny¶
- SSH to the EC2 instance created in the spoke1-vpc
curl https://www.google.com
- Note there is no response. You will see an error message like TCP reset
- In the FQDN Filter Profile we explicitly allowed only www.example.com and the default action is set to Deny No Log
- Try
curl -Ikv https://www.example.com
- You will see a successful response as FQDN Filter Profile allows this FQDN
- Check the certificate details for the issuer, subject and notice that the certificate is issued by Valtix
- Navigate to Investigate -> Flow Analytics -> FQDN Filtering
- You will see logs for the denied requests to www.google.com and allowed requests to www.example.com
Step 4: Default Allow¶
- Navigate to Manage -> Profiles -> FQDN Filtering
- Select the FQDN Profile fqdn-tutorials and Edit
- Change the default policy action to Allow Log (The last row in the profile with ANY FQDN)
- Save the profile
Step 5: Traffic Test for Default Allow¶
- SSH to the EC2 instance created in the spoke1-vpc
curl -Ikv https://www.google.com
- You will see a successful response as FQDN Filter Profile allows this FQDN due to default match
- Try
curl -Ikv https://www.example.com
- You will see a successful response as FQDN Filter Profile explicitly allows this FQDN
- Check the certificate details in both the cases for the issuer, subject and notice that the certificate is issued by Valtix
Step 6: Decryption Exception¶
In the above examples you notice that the traffic was decrypted and the external host's certificate is impersonated and signed by Valtix using the self-signed certificate used in the proxy service definition. There are cases where you may not want Valtix to decrypt and inspect the traffic with common scenarios being finance, healthcare, government websites. In such cases you enable decryption exception for those FQDNs.
- Go to Manage -> Profiles -> FQDN Filtering
- Select the FQDN Profile fqdn-tutorials and Edit
- Select the Decryption Exception checkbox for www.example.com
- Save the profile
Step 7: Traffic Test for Decryption Exception¶
- SSH to the EC2 instance created in the spoke1-vpc
- Try
curl -Ikv https://www.example.com
- Note a successful response as FQDN Filter Profile explicitly allows this FQDN
- Check the certificate details and notice that the issuer is NOT valtix and the subject does not mention Valtix
-
Here is the certificate before and after Decryption Exception
Certificate before Decryption Exception (signed by Valtix)
* Server certificate: * subject: CN=www.example.com,OU=NetSec,O=Valtix Inc.,L=SantaClara,ST=California,C=US * start date: Dec 14 23:29:06 2020 GMT * expire date: Dec 15 23:29:06 2021 GMT * common name: www.example.com * issuer: O=Valtix
Certificate after Decryption Exception (original certificate)
* Server certificate: * subject: CN=www.example.org,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US * start date: Nov 24 00:00:00 2020 GMT * expire date: Dec 25 23:59:59 2021 GMT * common name: www.example.org * issuer: CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US
Step 8: Explicity Deny¶
- Navigate to Manage -> Profiles -> FQDN Filtering
- Select the FQDN Profile fqdn-tutorials and Edit
- Change the policy for www.example.com to Deny Log
- Decryption Exception does not come into play as the traffic is denied. So checking/un-checking does not matter
- Leave the default (for FQDN ANY) to Allow Log
- Save the profile
Step 9: Traffic Test for Explicit Deny¶
- SSH to the EC2 instance created in the spoke1-vpc
- Try
curl -Ikv https://www.example.com
- Check that this gives an error message as it explicitly matches an FQDN with a deny policy
- Try
curl -Ikv https://www.google.com
- Note a successful response as the default policy allows FQDNs that do not match anything else in the list
- Navigate to Investigate -> Flow Analytics -> FQDN Filtering and check the logs for both the actions
Step 10: FQDN Categories¶
So far in the examples here we have been using a specific FQDN. Valtix supports using FQDN categories (sourced from BrightCloud). You can use the categories to block a set of FQDNs matching a given category (e.g Social Network). All the features (Decryption Exception, explicit Deny/Allow) are applicable to the Categories also.
- Navigate to Manage -> Profiles -> FQDN Filtering
- Select the FQDN Profile fqdn-tutorials and Edit
- Remove www.example.com from the text box
- In the text box type Social Network and select it
- Change the policy to Deny Log
- Decryption Exception does not come into play as the traffic is denied. So checking/un-checking does not matter
- Leave the default (for FQDN ANY) to Allow Log
- Save the profile
Step 11: Traffic Test for Category Deny¶
- SSH to the EC2 instance created in the spoke1-vpc
- Try
curl -Ikv https://www.facebook.com
- Note this gives an error message as it explicitly matches an FQDN Category with a deny policy
- Navigate to Investigate -> Flow Analytics-> FQDN Filtering and check the logs for both actions
Error
The first time you execute curl, the request may go through as the Valtix Gateway tries to cache the Categories and the URLs. Try again a 2nd time and it should block the request