cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Highlighted

r80.10 FQDN allow rule not being picked up in DMZ zone.

Jump to solution

TL;DR

Have rules for cylance.com being allowed on the application layer (All traffic regardless of zones.) However, the DMZ network is not seeing all their AWS instances as "cylance.com"

Okay fine I'll create a network rule (Seeing its traffic get blocked by last catch-all block/drop) for the DMZ to wildcard *.cylance.com <--- But you can't do that so I did .*\.cylance.com (FQDN domain object.)

Still nada. The odd thing is DMZ stuff isn't resolving their AWS addresses as standard traffic does.

Does anyone know where I've gone wrong?

 

Thanks in advance.

0 Kudos
1 Solution

Accepted Solutions
Employee
Employee

Re: r80.10 FQDN allow rule not being picked up in DMZ zone.

Jump to solution

Domain object has FQDN and non FQDN modes. Non FQDN mode enforces the domain and its sub-domains (Gateway performs reverse DNS lookup).

".cylance.com" in non FQDN mode should work for you.

0 Kudos
4 Replies
Admin
Admin

Re: r80.10 FQDN allow rule not being picked up in DMZ zone.

Jump to solution
You can’t do wildcards with FQDN objects.
A specific hostname must be used.
The fact the GUI allows what you specified could be viewed as a bug.

Re: r80.10 FQDN allow rule not being picked up in DMZ zone.

Jump to solution

Gotcha so I shouldn't be using the FQDN? 

If I use a host it will resolve to one IP which for a smattering of AWS addresses doesn't help solve the issue. (Recommended by the vendor instead of saying them just providing a block)

 

Which is still a question to why the addresses don't resolve for certain zones, to begin with.

0 Kudos
Employee
Employee

Re: r80.10 FQDN allow rule not being picked up in DMZ zone.

Jump to solution

Domain object has FQDN and non FQDN modes. Non FQDN mode enforces the domain and its sub-domains (Gateway performs reverse DNS lookup).

".cylance.com" in non FQDN mode should work for you.

0 Kudos
Admin
Admin

Re: r80.10 FQDN allow rule not being picked up in DMZ zone.

Jump to solution
However, that assumes the reverse DNS of the relevant IPs resolves to something.cylance.com.
This has never been a fantastic assumption.
0 Kudos