How to Use Ringfencing Internet Exclusions
In ThreatLocker Version 6.0 and above, under the 'Internet' tab on Ringfencing policies, there is a new 'Exclusions' tab. This tab functions much like the ThreatLocker tags feature. Here you can create a whitelist of IPv4 addresses, IPv6 addresses, or domains that the Application whose Policy you are editing can interact with. And, like tags, you do not need to deploy Policies for the changes to take effect.
To reach the 'Exclusions' tab, you need to navigate to Application Control > Policies. Find the Policy you would like to edit and click the pencil icon (edit button).
Under the 'Status' box, you will see 4 tabs in a row. Select the 'Internet' tab.
Then you need to select the checkbox next to 'Restrict these Applications from accessing the internet, except for the below rules'. This will allow you to create a whitelist of IP addresses and domains that the chosen Application can communicate with.
After you select that, the 'Exclusions' and 'Custom Rules' tabs will appear. Click on the 'Exclusions' tab to view and edit your 'Exclusions'.
Learning Mode and Exclusions
While in automatic Learning Mode, ThreatLocker will automatically learn the IP addresses an Application with Ringfencing is communicating with and will place those addresses in this 'Exclusions' box.
You can easily add to this list or delete items if you find the Application is communicating with an undesired address. Once this list is edited, you will not need to deploy Policies. The changes will automatically be applied.
If you are leveraging this feature for the first time after your endpoints are in Secured Mode, you could place the computer in automatic Learning Mode and run the Application and let ThreatLocker automatically add the addresses for you.
Manually Adding Values
To add a domain name to the 'Exclusions' list, choose 'text' from the 'Value' dropdown menu and then type in the text you wish to include in the tag. You can use wildcards in the text string. Then click the 'Add' button to add your value to the list below.
To add an IPv4 address, choose 'IPv4' from the 'Value' dropdown menu and then type the address you want to include in the tag. Then click the 'Add' button to add your value to the list below.
To add an entire subnet of addresses, choose 'IPv4' from the 'Value' dropdown menu and then type the address of the subnet you want to include in the tag using CIDR notation. Then click the 'Add' button to add your value to the list below.
To add an IPv6 address, choose 'IPv6' from the 'Value' dropdown menu and then type the address you want to include in the tag, being sure to click the 'Add' button when you are finished.
To remove an 'Exclusion' from the list, click the 'Delete' button beside the item you want to remove.
When you are finished manipulating your Exclusions list, you can click the 'Save' button in the top left corner of the Policy window, or you can simply exit out of the window. The changes will automatically be saved and applied to your endpoints as you are editing them.