Exinda | How to Create FQDN Based Network Objects

Summary

In v7.4 of the Exinda Firmare, it is possible to create Network Objects based on FQDN, not just IP. This FQDN network object can be used to create policies to block, ignore or optimizie traffic to certain websites

Overview

Network Objects are a large part of the functionality of the Exinda firmware.

In v7.0.3u1 and earlier of the firmware, it was only possible to create a network object based on an IP or a subnet.
In v7.4 and above it is possible through the command line (not through the web UI) to create Network Objects based on a Fully Qualified Domain Name (FQDN).

The use if FQDN is - Exinda resolves the DNS name for the website and maps it to an IP address automatically. Hence the network objects based on web server IP's don't have to be updated every now and then.

When an FQDN network object is made, the system preforms a DNS lookup on the FQDN to obtain server IPs to attach to the system. When this is done, it is stored in the network object and thus, any policy filter or rule based on a network object is applied whenever traffic from one of those corresponding IPs is sent in, up to the date whenever there are any remote changes on the server side.

To perform this operation, it is needed to be done through the command line. The command, from the configuration prompt (conf t), is the following: 
                              network-object <NAME> fqdn <fully-qualified-domain-name>

Where:

• <NAME> is the name of the network object you are creating
•   <fully-qualified-domain-name> is the FQDN of the network object you want to create, eg: www.exinda.com

For example, to create a FQDN network object to point to Exinda.com, the following would be the command: network-object test_object fqdn www.exinda.com

Once this network object is created, the information can be examined by using the 'show network-object <NAME>' command. For example:

The appliance has done a DNS lookup and has come back with an IP address for www.exinda.com. If this were to change, the system would update the Subnet list on a subsequent DNS check. 

Please note that currently in the web UI in the Network Objects menu, if a FQDN network object is setup, it will appear blank, without any hosts in it., as so:


This does not mean that it is not working; the only way to determine whether it is enabled is to use the 'show network-objects' command in the CLI.

Please Note: If the appliance does not have DNS enabled or set up (under Configuration > System > Network, under the "DNS" tab on the Web UI), then FQDN network obejcts will not work.