Using FQDN in Firewall Rules

In addition to using an IP address, range of IP addresses in CIDR notation, and range of IP addresses with a start and end, you can use FQDN hostnames as Remote hosts in the EDR PPolicy Network Control Firewall rules that apply to Windows and macOS operating systems.

Linux Agents do not support FQDN rules

This allows you to, for example:

  • Make a rule to allow TCP outbound traffic over port 80 to specific servers in your organization based on their FQDN name
  • Make a rule to block all traffic to a specific external server that currently poses a threat to the organization, based on its FQDN name, such as a phishing server that your users are connecting to

How does the Agent allow or block activity based on a FQDN?

The FQDN is translated into IP addresses. The AgentFirewall then allows or blocks traffic to those IP addresses.

The Agent dynamically updates the FQDN to IP translation to handle scenarios where the IP address seen by the endpoint changes. The Agent uses the Operating System DNS query APIs to translate FQDN to IP. As well as the Agent checking for IP updates periodically, if a value is not in the cache, it queries the DNS servers when:

  • The endpoint DNS server changes
  • The remote server IP address changes
  • The Firewall Control policy changes
  • An FQDN entry in the Operating System DNS table is outdated

Limitations for Remote Hosts defined by FQDN:

  • The number of FQDN entries in all rules in an EDR Policy is limited to 50 - The feature is not intended to integrate with external IP reputation feeds that can generate thousands of new FQDNs per day.
  • The number of Remote host entries in one rule, including FQDN entries, is limited to 30
  • FQDN rules require network connectivity to map IP addresses to the FQDN - if an Agent is offline, rules with FQDN do not work
  • FQDN rules do not apply when an endpoint is set to route traffic through a proxy - In such cases, the FQDN rules will be ignored - To block traffic route through an organization's proxy, use the proxy filtering options
  • In some cases, (usually when there is DNS load balancing), the first IP packet might be allowed or blocked, despite the Firewall rule - Immediately afterwards the Agent will get the updated IP address and block or allow the traffic accordingly
  • Rules for a specific URL inside a Host (for example: are not supported - The rule must allow or block entire access to this FQDN
  • Wildcards are not supported
  • Unicode is not supported