FQDN (Fully Qualified Domain Name) Filtering¶
FQDN Filtering profile provides Valtix customers with the ability to specify filtering rules to allow or deny HTTP or TLS request access to specific FQDNs when Valtix Gateways are in the Forward Proxy (Egress) or Forwarding mode. FQDNs can be specified as a pre-defined set of Categories (e.g. Sports, Gambling) or as strings with, or without or regular expressions (REGEX). The option to add a Decryption Exception is provided for all the traffic destined to a particular domain/category. The default rule in a new FQDN filter profile is Deny No Log. Both the Policy and Decryption Exception can be modified for the default rule.
Creating an FQDN Filtering Profile¶
- Navigate to Manage -> Profiles -> FQDN Filtering
- Click Create
- Provide a name and description to the profile
- Click Add to enter new FQDNs in the table
- Enter individual FQDNs e.g. www.app1.com or www.example.com
- Select Categories e.g. Gambling, Sports, Social etc.
- Define the policy action for the row
Click the drop-down list to view the actions. These actions are also available for Policy Rules.
- Allow Log - Allow the requests to the URL with logging a Valtix event for each access
- Allow No Log - Allow the requests to the URL but do not log a Valtix event
- Deny Log - Deny the requests to the URL and log a Valtix event
- Deny No Log - Deny the requests to the URL and do not log a Valtix Event
Optionally you can choose to disable Decryption for a given row by checking the checkbox Decyrption Exception. This is used only in proxy rules and useful in the following use cases:
- Customers didn’t intentionally want the proxy to deep inspect traffic with decryption (financial services, defense, health etc)
- SSO authentication traffic cannot be manipulated in any way
- NTLM traffic cannot be proxied
- Both the action and decryption exception can be modified for the default rule
- Click Save when completed
- The last row in the FQDN profile has ANY as the FQDNs, and is the default action for the FQDNs that do not match the specified list.
- Change the policy for this row to set the default action for all the FQDNs not matching the earlier rows. Decryption exception can be set as default if required.
- Check the checkbox for Decryption Exception to disable descryption by default.
- Attaching a FQDN profile to a rule starts dropping the FQDNs unless explicitly allowed.
Associate Profile with a Policy Rule¶
Check this document to create/edit Policy Rules