To associate profiles with an edge, do the following:
- In the Cloud Services Portal, click Manage > Service Edge > Edges.
- Click
-> Edit, or select the edge and click the Edit button.
- On the Edit <edge name> page, specify the following:
Expand the DAF section, and complete the following:- Log DAF violations: Enable this option to log DAF violations to the service logs and to drop all violation packets. For BloxOne Service Edge to drop packets, you must disable DAF learn-only mode.
DAF learn-only mode: Enable this option to log all DAF violations without dropping violation packets. If you select this option, BloxOne Service Edge will log all DAF violations to the service log and will not drop any packets, even if you have selected the Log DAF violations option.
To enable Log DAF violations and DAF learn-only mode, you must enable the DNS Assured Forwarding service on your edge. For more details, see Enabling and Disabling Services on On-Prem Hosts, DNS Assured Forwarding (DAF), and /wiki/spaces/BloxOneCloudDraft/pages/9537946.- Route DAF violation: Enable this option to reroute traffic to a different destination when DAF violation happens. When you enable this, choose one of the following from the Egress drop-down menu:
- Network Interface: Enter the network interface and the next hop to which you want to reroute the DAF traffic..
- Tunnel Interface: From the drop-down list, choose the OSPF remote peer to which you want to route the DAF traffic.
- Third Party Tunnel: Enter the IP address of the third-party tunnel, such as the zScaler VPN tunnel, to which you want to reroute the DAF traffic.
For information about monitoring DAF traffic, see Monitoring DAF Violations.
- Trusted DNS: Click Add to add trusted DNS servers to the edge. Enter the IPv4 IP or network address in the table. Essentially, DAF is a specialized firewall that blocks traffic to destinations that are not resolved by trusted DNS servers. You can configure a list of trusted DNS servers here, so DNS traffic to these DNS servers and DNS requests resolved by these DNS servers would not be blocked when you enable DAF. Trusted DNS servers can be local IP addresses in Service Edge, DNS servers running outside of Service Edge, any on-prem hosts running DNS service, DNS servers in NIOS, or the local domain list configured for the DNS forwarding proxy. BloxOne Service Edge provides a monitoring service so you can monitor trusted DNS violations. For information, see Monitoring Trusted DNS Violations.
Expand the Profiles section and complete the following:
- AVAILABLE PROFILES: Select the profiles you want to associate with the edge, and use the down arrows to move them to the SELECTED PROFILES section. To move all profiles, use the double arrows.
- To remove a selected policy, click X next to the rule in the SELECTED PROFILES column. To remove all selected rules, click the
icon.
Expand the Networks Variable Objects section and complete the following:
- AVAILABLE NETWORK VARIABLE OBJECTS: Select the objects you want to associate with the edge, and use the down arrows to move them to the SELECTED NETWORK VARIABLE OBJECTS section. To move all objects, use the double arrows.
- To remove a selected policy, click X next to the policy in the SELECTED NETWORK VARIABLE OBJECTS column. To remove all selected policies, click the icon.
Expand the Routes originated from the selected edge section to configure route distribution. For information, see Configuring Route Distribution.
Expand the Static Routes section, click Add New Static Routes, and then complete the following:
- Prefix: Enter the IPv4 prefix for the static route.
- Metric: Static routes are prioritized by the metric value. The lower the metric value, the higher the precedence, which means static route with lower metric value takes higher precedence.
- Next Hop: Enter the IP address of the next hop.
- Click Save & Close or Cancel.