Reset Search
 

 

Article

KB43891 - Fully Qualified Domain Name (FQDN) split tunnel rule(s) is sent via the tunnel even though there is a deny rule for the IPv4 address

« Go Back

Information

 
Last Modified Date10/22/2018 2:53 PM
Synopsis
This article provides details about the behavior of Fully Qualified Domain Name (FQDN) split tunneling with a deny rule.
Problem or Goal
If a deny rule for an IP address AND a fully qualified domain name under Users > Resource Policies > VPN Tunneling > Split-tunneling Networks, traffic will go via the tunnel interface. For example, a deny policy is created for:

IPv4 address: 10.9.8.7
FQDN: *.office.net

When the user accesses a FQDN that does not match *.office.net that resolves to 10.9.8.7, the traffic is routed through the tunnel even though there is a deny policy for the specific IP address.
Cause
This issue occurs due to fully qualified domain name rules take precedence over IP address.

There are three combinations of FQDN policies to consider when creating policies / rules:
  1. If only FQDN allow policies are configured, then all FQDN (that match the allow policy) will be routed through tunnel.  All other requests will be sent through the physical adapter.
  2. If only FQDN exclude policies are configured, then all FQDN (that match the exclude policy) will be routed through physical adapter.  All other requests will be sent through the tunnel.
  3. If both allow and exclude policies are configured, then all FQDN (that match the allow policy) will be routed through tunnel.  All other requests will be sent through the physical adapter.
Solution
To resolve the problem, the admin should follow Option 1 or Option 3 (above) by adding an allow policy for a FQDN. The default behavior will exclude all FQDNs that are not defined as allow policy.
Related Links
Attachment 1 
Created ByMatthew Spiers

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255