How to add a Response Policy Item.
To add a Response Policy Item:
You can also construct a list of fully qualified domain names (FQDNs) in one Response Policy file and upload. This is useful when managing a large number of policy items is an issue.
- Select the My IPAM tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the User Home Page.
- From the configuration drop-down menu, select a configuration
- Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
- Under Response Policies, click the Response Policy object from the list.
- Under Policy Items, click New.
-
Under General, set the following parameter:
- Name (FQDN)—enter the fully qualified domain name
to be blocked or redirected. For the allow list option, the specified
domain name will be an exception to a DNS query in the allowlist or
black hole lists. The asterisk (*) wildcard character(s)
can be used to block or redirect any hostname or all sub-domains. For
example, if you specify *.example.com, any hostname in
example.com will be blocked or redirected whereas www.example.com
will block or redirect any attempt to access only
www.example.com. If you specify **.example.com, any
hostname or all sub-domains in example.com and example.com itself will
be blocked or redirected. Note:
- IP address-based matches are placed into a reverse format. For example, to block 192.0.2.2, you will need to add 32.2.2.0.192.rpz-ip to your Response Policy. This will block any host request that resolves to 192.0.2.2. To block an IPv6 address, you will need to add a similar entry. For example, to block any host that resolves to 2001:DB8:BC:0:FC00:0:0:53, you need to add 128.53.0.0.FC00.0.BC.DB8.2001.rpz-ip.
- IP address-based matches can be used to block entire networks. To block an entire network, add the netmask for the network in front. For example, to block the network 192.1.0.0/16, you will need to add 16.0.0.1.192.rpz-ip to your Response Policy. To block the entire 2001:DB8:BC:0/64 network, you need to add 64.0.0.0.0.0.BC.DB8.2001.rpz-ip.
- Name (FQDN)—enter the fully qualified domain name
to be blocked or redirected. For the allow list option, the specified
domain name will be an exception to a DNS query in the allowlist or
black hole lists. The asterisk (*) wildcard character(s)
can be used to block or redirect any hostname or all sub-domains. For
example, if you specify *.example.com, any hostname in
example.com will be blocked or redirected whereas www.example.com
will block or redirect any attempt to access only
www.example.com. If you specify **.example.com, any
hostname or all sub-domains in example.com and example.com itself will
be blocked or redirected.
- Click Add or Update.