[AF] Application control Policies does not take effect and domain names are released
Problem Description
- The application control Policies allows access to the domain name www.baidu.com, but it does not take effect
Effective troubleshooting steps
- Through direct investigation, it is found that the default Policies interception is the cause;
- Capture packets to confirm that the DNS lookup www.baidu.com does not pass through the device
- Check whether /proc/net/dnscahe Sensitive www.baidu.com
- Check the option "Active analysis" Medium "Policies" – "Application control policy"
Root cause
To implement application control policies based on domain names, you need to ensure that the traffic from DNS lookup the domain name passes through the AF device. Otherwise, you need to select the active resolution method Obtain the IP corresponding to the domain name.
solution
- In the [Policies]-[Application Control Policies] settingsMedium check the box for active analysis.
- Adjust the intranet routing so that the traffic corresponding to the domain name resolved by DNS lookup passes through the device in both directions
Suggestions and Conclusion
The domain name-based application control policy relies on the domain name learning function of the DNScache module. After learning the corresponding domain name, it is sent to the kernel. Like the Whitelist, it configures low-level domain names and is also effective for high-level domain names. That is, if baidu.com is allowed, zhidao.baidu.com will also be allowed, and aliases will also take effect.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=851&isOpen=true