Example 1: Block and observe Web-based threats - BlueCat Edge - Service Point v3.x.x

BlueCat Edge Deployment Guide
Locale
English
Product name
BlueCat Edge
Version
Service Point v3.x.x

In this example, we will block client access to a list of known malware sites, and we will transparently monitor client access to a list of known ad-tracking sites without blocking.

Note: This example requires that you download the following lists: known-malware.lst and known-ad-trackers.lst.
Create a malware domain list
  1. In the top navigation bar, click and select Domain Lists.
  2. Click to create a new domain list.
  3. For Name, enter Known Malware, and for Description, enter a brief description for the list. For Type, keep the default User Defined.
  4. Drag and drop the known-malware.lst file into the Domains field.
  5. Click Save and Close.
Create a policy to block malware
  1. In the top navigation bar, click and select Policies.
  2. Click to create a new policy.
  3. For Name, enter Block Known Malware, and for Description, enter a brief description for the policy.
  4. For Type, select Block, and set the slider to Active.
  5. In the Sites field, start typing the name of a site, and then select the site you want to apply the policy to.
  6. Expand the Domain List section, and in the Block List field, start typing Known Malware, and then select that domain list.
  7. Click Save & Apply.

Test the blocking policy

Query any domain from the known malware domain list, for example dsfpgl.org. You should receive a "Non-existent domain" (NXDOMAIN) response.

View blocked DNS activity
  1. In BlueCat Edge, select the DNS Activity view .
  2. In the Command bar, type /policyname Block Known Malware, and press Enter. In the DNS Activity tab, you should see the blocked DNS queries from your test.
Create an ad-tracking domain list
  1. In the top navigation bar, click and select Domain Lists.
  2. Click to create a new domain list.
  3. For Name, enter Known Ad Trackers, and for Description, enter a brief description for the list. For Type, keep the default User Defined.
  4. Drag and drop the known-ad-trackers.lst file into the Domains field.
  5. Click Save and Close.
Create a policy to monitor ad-tracking activity
  1. In the top navigation bar, click and select Policies.
  2. Click to create a new policy.
  3. For Name, enter Monitor Known Ad Trackers, and for Description, enter a brief description for the policy.
  4. For Type, select Monitor, and set the slider to Active.
  5. In the Sites field, start typing the name of a site, and then select the site you want to apply the policy to.
  6. Expand the Domain List section, and in the Watch List field, start typing Known AD Trackers, and then select that domain list.
  7. Click Save & Apply.

Test the ad-tracking policy

Query any domain from the known ad trackers domain list, for example googlesyndication.com. You should receive a normal response.

View ad-tracking activity
  1. In BlueCat Edge, select the DNS Activity view .
  2. In the Command bar, type /policyname Monitor Known Ad Trackers, and press Enter. In the DNS Activity tab, you should see the monitored DNS queries from your test.