Domain filtering

Domain name filtering is a type of reputation filtering that helps control the traffic that enters and exits your network. Network Security enables you to control traffic by creating and managing a list of fully qualified domain names (FQDNs) that have permitted inbound and outbound access to your environment.


Note

Beginning with version 2021.9.0.11188, domain filtering on Network Security appliances will only enforce policies in the outbound direction, egress to the internet. In addition to complying with the PCI requirement for restricting outbound traffic, this strategy ensures that the filtering policy will not inadvertently affect inbound or East-West traffic in your environments. For these later appliance versions, strategies less burdensome to network environments, such as AWS security groups, can be used for mitigating inbound risks.


When you enable domain filtering, any domains that you do not include in your exceptions list are automatically blocked (a log event is generated by default). The only two domains that are added (invisibly) to the exceptions list of every domain filtering policy that you create are *.amazonaws.com and *.trendmicro.com.

Use the default ports for standard protocols that require a TCP connection.

In order to configure domain filtering functionality and policy, your Network Security appliance must be running version 2021.4.0.10991 or later, and must be running on the AWS cloud computing platform. You cannot distribute a domain filtering policy using an unsupported platform. Contact your Trend Micro representative for assistance, or create a support report.



Note

Each time a change is made to the domain filtering configuration, you must redistribute the policy to your appliances for the changes to take effect.


Manage your permit list using the GUI

The following instructions enable you to manage your domain filters using the GUI so that only the domains you specify are permitted. You can add up to 1000 domain exceptions.

  1. From the navigation panel, click the Policy icon policies icon and select Domain Filtering.

  2. Click Configure, or click Edit if you have configured domain filtering already.

  3. On the Domain Filtering page, change the filter state to Enabled. When this setting is Disabled, all domains will be permitted within your cloud environment.

  4. Click the Add entry button policies icon under Exceptions List to add your list of domains that you want permitted. Select the Add another checkbox to add multiple exceptions at one time.

    • Entries must be in the format hostname.domain.com or domain.com. You do not have to include protocols (such as https//:) or subdomains.
    • Optionally enter numeric values (ranging from 1 to 65536) for as many as 20 associated ports. If no port is specified, all ports will be available to the domain exception. Invalid entries, such as duplicate entries or numeric values outside of the range, display in red, and an error is displayed.

    Note

    Restrict all exception entries to 255 characters. Appliances running version 2021.4.0.10991 or later support wildcard entries. For example, *.domain.com. Besides the asterisk (*) character in wildcards, the hyphen (-) and the period (.) are the only special characters permitted. Only default ports can be used with wildcard domains in your exceptions list.


  5. After adding your final domain exception, click Save Filter Configuration.

  6. To remove exceptions from the list, select the checkbox next to each item and click the Delete entry buttonpolicies icon.

  7. Distribute your updated policy to your appliances so that your changes will take effect.


Manage your permit list using APIs

The instructions that follow enable you to manage your domain filters using APIs. Learn more about Network Security APIs.


Note

In order to see API changes on your screen, you must refresh your Network Security.



Getting started with domain filtering

If you are using this feature for the first time, follow the workflows below to enable and configure your permit list settings:

  1. Configure a list of verified domains to be permitted
  2. Enable domain configuration
  3. Sync your list of permitted domains and your enabled domain configuration with your virtual appliance
  4. Verify that your domain settings are applied to your appliances

Configure a list of verified domains

Use the following APIs to configure a list of verified domains in your permit list. Before you begin, ensure that you have your virtual appliance registered and managed by Network Security.

  1. Add FQDNs to your permit list by calling the add domain entries API:

    POST /api/domains/permitlists/entries

  2. Verify your permit list by calling the list domain entries API:

    GET /api/domains/permitlists/entries


Enable domain configuration

Before you can distribute the domain configuration settings to your appliances, you must enable the configuration. Use the following APIs to configure and retrieve your domain configuration settings.

  1. Create a domain configuration by calling the create domain filtering configuration API:

    POST /api/domains/configurations

  2. Verify your domain configuration by calling the get domain filtering configuration API:

    GET /api/domains/configuration


Sync permit list and domain configuration with your appliance

Use the following API to sync your list of permitted domains and your domain configuration with the appliance. Before you begin, ensure that you have your virtual appliance registered and managed by Network Security.

Distribute the domain configuration settings to the target appliances by calling the distribution API:

POST /api/domains/permitlists/distributions

Note

Appliance IDs are required for this API call and can be gathered using the Appliance Control API.



Verify your domain settings are applied to your appliances

Use the following APIs to check the status of your domain distributions. Before you begin this process, ensure that at least one distribution is submitted.

  • Using the distribution ID returned from your sync , check the status by calling the get domain distribution API:

    GET /api/domains/permitlists/distributions/{domainDistributionId}

  • Alternatively, list most recent domain distributions by calling the list ongoing domain distributions API:

    GET /api/domains/permitlists/distributions


Retrieve a list of permitted domains

Use the following API to retrieve a list of domains that are permitted within your cloud network.

To access a list of permitted domain entries, call the list domain entries API:

GET /api/domains/permitlists/entries


Remove entries from the Permit list

Use the following APIs to remove entries from the Permit list. At least one entry must be added to an appliance before you can perform this API workflow.

  1. Access the list of permitted domain entries by calling the list domain entries API:

    GET /api/domains/permitlists/entries

  2. Remove a domain entry from the Permit List by calling the remove domain entry API:

    DELETE /api/domains/permitlists/entries

  3. Distribute the Permit list to your appliances by calling the distribution API:

    POST /api/domains/permitlists/distributions

You can use the Appliance Control API to get the IDs of your appliances.


Disable domain filtering

Use the following APIs to disable Domain Filtering. When you disable Domain Filtering, all domains will be permitted within your cloud environment.

  1. Access a list of domain configurations by calling the list configurations API:

    GET /api/domains/configurations

  2. Update the domain configuration by calling the update domain filtering configuration API:

    PUT /api/domains/configurations/{domainPolicyUuid}

  3. Distribute the domain configuration to your appliances by calling the distribution API:

    POST /api/domains/permitlists/distributions

    You can use the Appliance Control API to get the IDs of your appliances.