I am trying to set up a firewall policy rule with the following definition:
Only allow traffic to website with domain: mcafee.com (for example)
I can see two ways of doing this:
1) Create new rule, set action to 'allow', choose rule type 'Domain', enter 'mcafee.com' in the domain list field
2) Create new rule, set action to 'allow', choose rule type 'Standard', from remote address dropdown choose 'fully qualified domain name' and enter 'mcafee.com', communication on 'All IP Protocols'
But neither of these seem to allow me to access the McAfee website when HIPS is enabled on a client PC. Instead all web traffic is blocked (as I would expect if I hadn't configured any other rules).
Can someone tell me if I'm missing something blantantly obvious, or if the above premise should work?
Would the client be able to resolve the FQDN with your current ruleset? Also please be aware that rules are worked down from top to bottom meaning that DNS should be on top of your Rule I would think.
Thanks for your response dyilmaz
We do have a rule for DNS above the rule I am testing:
Incidentally we also have a rule (which I temporarily disabled during testing) which allowed all traffic, in and out, to any remote address - and this allowed access to any website. As soon as I disabled this, leaving my specific mcafee.com rule in place - I was unable to connect to any website, including McAfee's.
Host IPS was not designed as a Web URL filtering product. Some comments:
1. HIPS Firewall Domain rules allow/block DNS lookups only. It does not allow outbound traffic for the domain that is looked up (See #2).
2. You still need to create firewall rules to allow outbound traffic (e.g., to browse to the Internet you need to create firewall rules that allow outbound TCP port 80 traffic).
3. FQDN firewall rules are to specific hostnames.domainnames. You cannot use wildcards. You would need to create FQDN rules for every specific Internet hostname that the user need to communicate with (e.g., www.mcafee.com, images.mcafee.com, community.mcafee.com, etc.).on 12/13/10 12:33:17 PM CST