Bypass SWG using FQDN
A secure web gateway (SWG) is a network security service, available on-premise or via the cloud, that shields organizations from online threats and infections. SWGs enforce company policies and filter outbound traffic by sitting between users and the Internet. They provide advanced protection by inspecting web requests to ensure that malicious applications and websites are blocked and remain inaccessible.
For domains included in the Firewall destination list, CDFW will process web traffic and route it to the internet rather than forward it to SWG.
This feature of SWG uses the same user experience as FQDN based policies on CDFW, but makes a steering decision not to forward web traffic for domains specified in the destination list if the appropriate org setting is active on the org.
Table of Contents
Prerequisites
- An internet connection that allows outbound IPsec traffic.
- Full admin access to the Umbrella dashboard. See Manage User Roles.
- A network device capable of establishing an IPsec IKEv2 tunnel. For supported network devices, see Supported IPsec Parameters.
- At least one tunnel added. For more information about adding tunnels, see Network Tunnel Configuration.
Limitations
- The rule behavior is not predictable when the target destination (FQDN) may resolve to many different IP addresses or receive answers which are geolocation-specific. For example, if the resource is on a CDN (Content Delivery Network), the IP address in the firewall policy could be different from the address the client is trying to access leading to inconsistent firewall policy application.
- Neither implicit nor explicit wildcards are supported.
- Private/internal domains are not supported since the DNS server being used by CDFW is not configurable.
- FQDN lists are not designed to filter URLs or web-based applications. It is recommended that you use Umbrella SWG URL filtering and firewall rules with internet-based application controls for general web-based access control.
- FQDN lists must only be used as a fallback solution if URL filtering or Layer 7 App Control do not work.
- Each firewall rule can only have one FQDN list added.
Add an FQDN List to a Firewall Rule < Bypass SWG using FQDN > Delete a Firewall Rule
Updated 2 months ago