FQDN Analysis gives you visibilty into external domains and enables insights into cloud application usage, business elevant usage, risky user usage, and potentially malicious behavior.

Prerequisites and limitations:

  • NSX Edges (management interface) need access to the internet to download category and reputation definitions from VMware Cloud.
  • Medium and larger VM form factor edge nodes, or physical edge nodes are supported.
  • DNS Server must be north of tier-1 gateway.
  • Only north/south internet traffic from workloads deployed behind T1 is analyzed.
  • Create a Layer 7 DNS rule on the tier-1 gateway to intercept DNS request and response traffic (if it doesn't already exist).
  1. Navigate to Security > Gateway Firewall and check that you are on the Gateway Specific tab.
  2. Click Add Policy to create a policy section, and give the section a name.
  3. Select the check box next to the policy and click Add Rule.
  4. Configure the following options:
    Variable Description
    Name Provide a name for the rule, such as L7 DNS Rule
    Source Any or specific group
    Destination Any or specific group
    Services
    • DNS-UDP
    • DNS
    Profiles DNS context profile
    Applied To Select all of the tier-1 gateways backed by the NSX Edge cluster where FQDN Analysis is enabled.
    Action Allow
  5. Click Publish.

Activate FQDN Analysis

  1. Turn on the FQDN Analysis per gateway and URL database per corresponding edge cluster by navigating to Security > Gateway Firewall > Settings > FQDN Analysis. Once activated, the URL database will be downloaded to each cluster member. See Gateway Firewall Settings.
    Note: Fetching the URL database version is not supported if a proxy server is activated in your environment. NSX Edges must have a direct internet connection with with VMware NTICS cloud to fetch the URL database version.
  2. Monitor FQDN analysis on the FQDN Analysis Dashboard.