07-17-2014 05:41 PM
Make sure your controller has a DNS server defined and that name lookups are enabled.
Sent from Windows Mail
07-18-2014 10:55 AM - edited 07-18-2014 11:00 AM
Some will require command line:
ip name-server <dns-server-ip-1> ip name-server <dns-server-ip-2>
ip domain lookup
(it will tell you that you need to reboot however it should work without rebooting the controller)
GUI example blocking all of facebook.com including subdomains.
Create a netdestination under Configuration > Advanced Services > Stateful Firewall > Destination
- Give it a name and add a new rule of type "Name".
- Enter the domain name you are trying to block. Since we are blocking subdomains as well (www.facebook, login.facebook), we will put an asterisk in front (see screenshot)
Now you'll want to create a new session ACL to block the traffic.
- Navigate to Configuration > Security > Policies
- Click Add to create a new session policy. Give it a name.
- Click the add button to add an ACL entry. The screenshot below will block all traffic to any facebook website that ends in facebook.com
- Notice for destination, you will select "Alias" and then choose the netdestination that you created in the previous step.
The last step is to add that policy to a user-role. Make sure it is higher than an allowall or allow all http/https.
If you'd like to see the current DNS cache on the controller, run:
#show firewall dns-names