Reply
Accepted Solution

RPZ whitelistning? and RPZ vs blacklist?

TPersson
Techie
Posts: 8
6220     0

We are doing a proof of concept with RPZ and reporting service and i have two questions

 

1. anyone know if can you whitelist a ip/domain when using RPZ incase it catches a false positive?

 

2. is it possible to redirect RPZ (DNS firewall) request to another ip like you can through blacklist ruleset.

that way we can inform the users that they are trying to connect to a bad domain/ip?

 

Regards
Terje Persson | Technical University of Denmark

Re: RPZ whitelistning? and RPZ vs blacklist?

RLangston
Techie
Posts: 13
6221     0

 

1.  Whitelisting is both supported and encouraged with RPZ.  The admin guide outlines a best practice of creating a whitelist as part of your inital install.

 

2. You can set a "substitute" policy for domains on the blacklist.  This will send an IP of your choosing as the result of the lookup.

 

Re: RPZ whitelistning? and RPZ vs blacklist?

TPersson
Techie
Posts: 8
6221     0

aah yeah... the admin guide.. why do i always forget to look in that hehe.

i found it and more thanks for reminding me Smiley Happy

 

 

Regards
Terje Persson | Technical University of Denmark

Re: RPZ whitelistning? and RPZ vs blacklist?

Adviser
Posts: 267
6221     0

Do you mind sharing what section/page you found the information on to help fellow community members who may have the same question?

 

Thank you!

If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.

Re: RPZ whitelistning? and RPZ vs blacklist?

TPersson
Techie
Posts: 8
6221     0

This is what i did

 

1.whitelistning false positives domains

  • First create a "Local Response Policy zone" and make sure the local zone policy has a higher order value than the RPZ zone policy.
  • Add the false positive domains into the newly created local policy zone, add them with the Policy action "Passthru Domain name".

2. Redirecting RPZ domains to a local website with infomation for the users

  • Edit the "Response Policy Zone" in my case "malware.rpz.infoblox.local", change the option "Policy override" to Substitute (domain name)" and then paste in the local website with user infomation in the option "domain name"

 

I hope this is understandable for people if not message me and i will try and help or change my post.

 

 

 

 

Regards
Terje Persson | Technical University of Denmark
Showing results for 
Search instead for 
Do you mean 

Recommended for You