Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[AF] Local writes a domain name-based application control Policies, but it cannot match

Posted
Updated
Byadmin
Views2

Problem Description

Local application control policy on the firewall has written a Policies to allow traffic from a certain business server address to the external network address oapi.dingtalk.com, and its Priority is higher than all deny Policies. However, when performing business tests, it was found that the business was not connected and there was no match in Policies to allow traffic. After enabling directional traffic analysis, it was found that the interception policy would be matched. After changing the destination address Medium the Policies to dingtalk.com, the business is normal and Policies starts to have matching numbers.

Effective troubleshooting steps

  1. Below this Policies, there is a policy with the destination address being api.dingtalk.com.
  2. The domain names api.dingtalk.com and oapi.dingtalk.com have the same alias v6-cname.dingtalk.com as shown in the following figure:
  3. The data structure of the domain name that AF is responsible for caching the domain name acl is concerned about is designed to have a one-to-many relationship between the primary domain name and the alias, that is, the alias can only save one primary domain name. Therefore, the alias v6-cname.dingtalk.com can only be associated with one of the domain names, that is, the corresponding IP can only be associated with one of the two domain names api.dingtalk.com and oapi.dingtalk.com (whichever domain name passes AF first will be cached). 4. The IP cache resolved by the domain name on the current device is associated with the domain name api.dingtalk.com. Therefore, during the test, the policy with the destination domain name oapi.dingtalk.com could not be matched because the corresponding IP address could not be found for the destination domain name. The policy with the destination address domain name api.dingtalk.com could not be matched because the source address IP group did not contain the server address, so the test failed.

Root cause

The data structure of the domain names that AF is responsible for caching the domain names that acl cares about is designed to have a one-to-many relationship between the primary domain name and the alias, that is, an alias can only save one primary domain name. Therefore, the alias v6-cname.dingtalk.com can only be associated with one of the domain names, that is, the corresponding IP can only be associated with one of the two domain names api.dingtalk.com and oapi.dingtalk.com (whichever domain name passes AF first will be cached).

solution

Option One:
Put the destination addresses api.dingtalk.com and oapi.dingtalk.com into one Policies**. **They cannot be controlled separately, because the IPs resolved from the two domain names will only be associated with one of the domain names, and one of them will inevitably become invalid if they are separated.
Option II:
**Configure the destination address of this Policies to the common subdomain dingtalk.com of api.dingtalk.com. **This method will cause other domain names that match *.dingtalk.com to be cached when the domain name is cached, resulting in the cached domain names being much larger than those Policies in the policy, and easily exceeding the upper limit (the default is 10,000).
third solution:
The problem is solved by applying the patch package (ACL domain name optimization package). The design idea is to directly save and associate the IP Address with the corresponding primary domain name (query domain name) when the aliases of two domain names conflict.

Suggestions and Conclusion

It is not recommended to use the domain name-based application control Policies function on the Local. If it must be used due to historical configuration or other factors, it is recommended to apply the acl optimization package. This patch package is an optimization set specifically for domain name-based application control Policies. In addition to solving this problem, this patch package also fixes some other known problems (optimizing domain name delivery performance, domain name cache synchronization problem when switching between two machines, and other Policies matching issues that may be affected during Services modification, etc.).

Original Link

https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=2016&isOpen=true