Introduction
Our threatER Enforce software sits as a layer 2 bump-in-the-wire and looks at each connection request, evaluating information in the handshake (IP address, country, host/ASN, and domain if the packet is encrypted) against the policies you have configured in the threatER Portal to determine whether the connection should be allowed or blocked.
It is important to note when domain encryption is enabled, Enforce may not see the domain associated with the packet.
Using our new Domain Inspection feature, Enforce is able to examine connections using the ports specified and attempt to extract domain information from the connection's data. Enforce can currently extract domain information from the Host header in HTTP connections and the SNI header in TLS and QUIC connections. It should work for all versions of HTTP, as long as there is a host header. It will also work for both versions of TLS (TLS 1.2 and 1.3) as long as there's an SNI header and it isn't encrypted.
Domain Inspection does incur a small performance penalty; however, in typical environments it is expected to be negligible. If performance issues are experienced with domain inspection enabled, one of the following actions can be taken:
-
Reduce the amount of traffic being inspected (via inspection ports and/or networks)
-
Upgrade to faster hardware
-
Disable the feature on the impacted network
Enforcers must be on build 294 for full support of the feature.
Domain Inspection
More information on enabling the Domain Inspection feature is available in our Knowledge Base article. Once enabled at the Network level, you will need to select the Domain Inspection Type to determine how the Enforcer will inspect the traffic.
There are 4 options available to you:
-
Prefer IP
-
Prefer Domain
-
Prefer Both
-
Explicit
The table below shows the action taken by Enforce given the Domain Inspection Type. If a domain can't be discovered from the connection after 5 packets, the IP verdict is enforced. "Domain None" means the domain was not on an enabled Allow or Block list.
|
Prefer IP |
|
Domain Allow |
Domain Block |
Domain None |
|
IP Allow |
Allow |
Allow |
Allow |
|
|
IP Block |
Block |
Block |
Block |
|
|
|
||||
|
Prefer Domain |
|
Domain Allow |
Domain Block |
Domain None |
|
IP Allow |
Allow |
Block |
Allow |
|
|
IP Block |
Allow |
Block |
Allow |
|
|
|
||||
|
Prefer Both |
|
Domain Allow |
Domain Block |
Domain None |
|
IP Allow |
Allow |
Block |
Allow |
|
|
IP Block |
Block |
Block |
Block |
|
|
|
||||
|
Explicit |
|
Domain Allow |
Domain Block |
Domain None |
|
IP Allow |
Allow |
Block |
Allow |
|
|
IP Block |
Allow |
Block |
Block |
|
Prefer IP is the default setting and IP based. If a IP has been flagged by your policies to be blocked, then whitelisting the domain/subdomain may not resolve your unexpected block. This is because Prefer IP will not use SNI inspection to determine the domain.
Prefer Domain is a setting that prioritizes the domain name's verdict over the IP address when making a decision to allow or block a connection. If the Domain is allowed, the connection is allowed regardless of the associated IP address. If the domain isn't specified (ie "None"), the IP would still be allowed as the domain isn't specified to be blocked.
Prefer Both is a more restrictive setting than Prefer IP and Prefer Domain. It requires both the IP address and the domain name to be "Allowed" for the connection to proceed.
Explicit requires an explicit match on a domain list (allow or block) to override an IP verdict. If a domain is not specifically listed on an allow list (ie "None"), the IP will stay blocked. We recommend this setting if you are using this feature for the first time.