I have a query where i need to block domain based malicious domains to be blocked with regards to EDL which we have internally.
I have called the EDL over the Application/URL category of the policy which has the EDL name which consist of certain number of malicious domains which need to be denied.
For this i had not seen any hit counts to be appeared or im not sure if its working.
I need to know how to block or deny malicious domains based upon the EDL.
For this do we need to enable decryption?
If the DNS requests are being parsed through HTTPS, then yes, you will need decryption enabled. Most browsers default to DoH these days, so you may want to convince SysAdmin to disable.
Please also see this thread for wildcard / domain formatting, which may also be causing issues.
When you setup the EDL did you set the type to URL or domain? Formatting can also be a major issue if this is the first time you are attempting to use an EDL, so make sure its formatted correctly.
You actually don't need decryption to be able to block domains, but you do have to be mindful of what the firewall will actually see when looking at the traffic. Without decryption you'll only be able to see the domain as presented unencrypted in the handshake.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!