Skip to main content

Configuring FQDN based policy

Question

How can I create an outbound policy to allow or block traffic destined to a Fully Qualified Domain Name (FQDN) (example support.colortokens.com) so that I can program firewall rules based on the dynamic IP address(es) resolved for the FQDN.

Answer

Typically, there are three use cases for using a FQDN as destination instead of IP address.

  • Operator may not know the public IP address of a FQDN
  • Public domains usually have multiple IP addresses associated with the domain for load balancing the incoming requests.
  • Often public domains will change their mapped IP address periodically, especially if their service is running in the cloud

Writing policies with the IP address is very difficult in any of the above cases and hence operators will prefer specifying the FQDN.

Policy Configuration

The Xshield security platform provides the Template primitive to define a security policy. A template allows user to configure ports, inbound paths and outbound paths as part of a security policy to be applied.

Since a FQDN based policy is in the outbound direction, the user will configure a policy by defining the properties of the outbound path as follows:

  • Port
  • Protocol
  • FQDN

The FQDN as its name sounds has to be fully-qualified. It will not support configuring a wildcard domain such as *.colortokens.com. Also, customer must avoid FQDNs that might result in changing the IPs very often as that will result in multiple firewall rule entries in the host firewall.

Additional Notes

As with most of the functions, the FQDN based outbound policy template can also be configured via the API (and hence through the Xshield SDK)