Login
- Table of Contents
-
- 04-Policies
- 01-Security policy
- 02-Security policy redundancy analysis
- 03-Security policy hit analysis
- 04-Security policy optimization
- 05-Policy-based NAT
- 06-Interface NAT
- 07-AFT
- 08-QoS
- 09-Bandwidth management
- 10-Application audit
- 11-Application proxy
- 12-IP reputation
- 13-Domain reputation
- 14-Blacklist
- 15-Connection limit
- 16-Server connection detection
- 17-Access rate limit
- 18-DLP
- 19-Server load balancing
- 20-Outbound link load balancing
- 21-Inbound link load balancing
- 22-Transparent DNS proxy
- 23-NetShare control
- 24-Zero trust policy
- 25-Trusted application proxies
- 26-Trusted API proxies
- 27-NAT66
- 28-uRPF
- 29-Load balancing common configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-Domain reputation | 46.29 KB |
This help contains the following topics:
¡ Domain reputation signature library
¡ Enable top hit statistics collection
¡ Configure the action for an attack category
¡ Configure the domain name exception list
Introduction
Domain reputation uses the domain name information in the domain reputation signature library to filter network traffic.
Domain reputation signature library
Attack category and action
The device takes an action (drop or permit) when the domain name of a DNS packet has a hit in the domain reputation signature library. Logging for the packet is also supported.
In the domain reputation signature library, a domain name might belong to multiple attack categories. Each attack category has an associated action.
If a domain name belongs to only one attack category, the device takes the action of the attack category on the packet. If a domain name belongs to multiple attack categories, the device takes an action that has the highest priority among all actions of the attack categories. The drop action has higher priority than the permit action.
If logging is enabled for any one of attack categories to which the domain name belongs, the device generates a log for the matching packets.
Domain name exception list
A packet is forwarded directly if it contains a domain name on the domain name exception list. The device does not perform domain reputation check on the packet.
Domain reputation workflow
Figure 1 describes the domain reputation workflow.
Figure 1 Domain reputation workflow
Domain reputation processes a packet as follows:
2. The device determines whether the domain name in the packet has a match on the domain name exception list. If a match is found, the packet is forwarded directly. If no match exists, the device proceeds to the next step.
3. The device determines whether the domain name has a match in the domain reputation signature library and takes the corresponding action.
¡ If a match is found, the device takes the action of the matching attack category.
¡ If more than one match is found, the device takes the action that has the highest priority among all the actions of the attack categories.
¡ If no match is found, the device forwards the packet.
The following actions are supported:
- Permit—Allows packets to pass through.
- Drop—Drops packets.
- Logging—Generates domain reputation logs.
Restrictions and guidelines
· To use the domain reputation feature, purchase a license for this feature and install it correctly. When the license expires, the existing domain reputation signature library is available but it cannot be upgraded. For more information, see the license help.
· Top hit statistics are cleared after you disable top hit statistics.
· Make sure the system time is the same as the network time.
Configure domain reputation
Configure domain reputation
1. Click the Policies tab.
2. In the navigation pane, select Active Defense > Threat Intelligence > Domain Reputation.
3. Select Enable for Domain Reputation.
4. To search for a domain name, click Domain name search, enter the domain name, and click Search. Information about the matching domain name is displayed. You can add the domain name to or remove it from the domain name exception list.
Enable top hit statistics collection
1. Click the Policies tab.
2. In the navigation pane, select Active Defense > Threat Intelligence > Domain Reputation.
3. Select Enable for Domain Reputation.
4. Select Enable for Domain name hit statistics.
5. To open the Top Hit Statistics page, click Top hit statistics. To view top hit statistics ranking information, configure statistics conditions. You can also add a domain name to or remove it from the domain name exception list.
Configure the action for an attack category
1. Click the Policies tab.
2. In the navigation pane, select Active Defense > Threat Intelligence > Domain Reputation.
3. Select Enable for Domain Reputation.
4. In the Action configuration area, configure an action for an attack category. The following actions are supported:
¡ Permit—Allows packets to pass through.
¡ Drop—Drops packets.
5. To restore the default configuration, click Restore default.
6. Click Apply.
Configure the domain name exception list
1. Click the Policies tab.
2. In the navigation pane, select Active Defense > Threat Intelligence > Domain Reputation.
3. Select Enable for Domain Reputation.
4. In the Domain name exception list area, enter domain names. Each domain name occupies a line.
5. Click Apply.
