Versions Compared

Old Version 7

changes.mady.by.user Shirly Tsang

Saved on

compared with

New Version 8

changes.mady.by.user Shirly Tsang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To associate profiles with an edge, do the following:

  1. In the Cloud Services Portal, click Manage > Service Edge > Edges.
  2. Click  -> Edit, or select the edge and click the Edit button.
  3. On the Edit <edge name> page, specify the following:
    Expand the DAF section, and complete the following:
    • Log DAF violations: Enable this option to log DAF violations to the service logs and to drop all violation packets. For BloxOne Service Edge to drop packets, you must disable DAF learn-only mode.

    • DAF learn-only mode: Enable this option to log all DAF violations without dropping violation packets. If you select this option, BloxOne Service Edge will log all DAF violations to the service log and will not drop any packets, even if you have selected the Log DAF violations option.

      To enable Log DAF violations and DAF learn-only mode, you must enable the DNS Assured Forwarding service on your edge. For more details, see Enabling and Disabling Services on On-Prem Hosts, DNS Assured Forwarding (DAF), and /wiki/spaces/BloxOneCloudDraft/pages/9537946.

    • Route DAF violation: Enable this option to reroute traffic to a different destination when DAF violation happens. When you enable this, choose one of the following from the Egress drop-down menu: 
      • Network Interface: Enter the network interface and the next hop to which you want to reroute the DAF traffic..
      • Tunnel Interface: From the drop-down list, choose the OSPF remote peer to which you want to route the DAF traffic.
      • Third Party Tunnel: Enter the IP address of the third-party tunnel, such as the zScaler VPN tunnel, to which you want to reroute the DAF traffic.
        For information about monitoring DAF traffic, see Monitoring DAF Violations.
    • Trusted DNS: Click Add to add trusted DNS servers to the edge. Enter the IPv4 IP or network address in the table. Essentially, DAF is a specialized firewall that blocks traffic to destinations that are not resolved by trusted DNS servers. You can configure a list of trusted DNS servers here, so DNS traffic to these DNS servers and DNS requests resolved by these DNS servers would not be blocked when you enable DAF. Trusted DNS servers can be local IP addresses in Service Edge, DNS servers running outside of Service Edge, any on-prem hosts running DNS service, DNS servers in NIOS, or the local domain list configured for the DNS forwarding proxy. BloxOne Service Edge provides a monitoring service so you can monitor trusted DNS violations. For information, see Monitoring Trusted DNS Violations.

...