Ringfencing™ enables you to block an application from accessing the internet altogether. Or you can specify only certain websites that you know this application needs to access.
To set up internet Ringfencing restrictions on your own policy, select the checkbox next to 'Restrict these applications from accessing the internet?'. Then, you will type in the exclusions you want to allow access to, using wildcards and subnets as necessary. Be sure to click 'Add' after each entry.
Exclusions
Exclusions are tied to the individual policy and allow you to specify IPv4 addresses, IPv6 addresses, or domain names the application can access. Changes made to exclusions do not require you to restart the application or deploy policies.
Please Note: Any changes made to Internet Exclusions will automatically save and be applied to the policy.
For more information on using automatic Learning mode to learn Ringfencing Exclusions, see our associated article How to use Ringfencing Internet Exclusions.
Domain Name
To add a domain name to the 'Exclusions' list, choose 'text' from the 'Type' dropdown menu and then type in the text you wish to include in the tag. You can use wildcards in the text string. Then click the 'Add' button to add your chosen domain to the list below.
When you are using wildcards in the domain name, be careful not to place a wildcard at the end of a domain name. An attacker could easily set up a domain with a name that begins the same as a trusted, legitimate address. (e.g. www.google.malicious_site.com)
IPv4
To add an IPv4 address, choose 'IPv4' from the 'Type' dropdown menu and then type the address you want to include in the tag. Then click the 'Add' button to add your Value to the list below.
IPv4 Subnet
To add an entire subnet of addresses, choose 'IPv4' from the 'Type' dropdown menu and then type the address of the subnet you want to include in the tag using CIDR notation. Then click the 'Add' button to add your subnet to the list below.
IPv6
To add an IPv6 address, choose 'IPv6' from the 'Type' dropdown menu and then type the address you want to include in the tag, being sure to click the 'Add' button when you are finished.
Changes to Exclusions happen in real time. You do not need to click 'Save'; you can exit out of the window.
If you ever need to delete an item, select the delete button next to the Exclusion you want to remove.
Tags
Tags are collections of items that can be applied to Network Control policies and Application Control policies with Network Ringfencing. They can contain strings, with or without wildcards, IPv4 addresses or IPv6 addresses. Tags allow for efficient, centralized management of allowed network domains and IP addresses, as they are shared across all of your child organizations. The same tag can be easily applied to multiple policies across your various clients.
When you are applying Ringfencing™ to an Application that has previously not had Ringfencing™ applied, it is very important to place that specific Policy into a Monitor Only Status for about a week.
Failure to place a new Ringfencing Policy into a Monitor Only Status for a week may possibly impact your day-to-day business operations.
Ringfencing - Application Interaction