Ringfencing Internet Access

6 min. readlast update: 05.01.2024
Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.  

Ringfencing™ enables you to block an application from accessing the internet altogether. Or you can specify only certain websites that you know this application needs to access.   

To set up internet Ringfencing restrictions on your own policy, select the checkbox next to 'Restrict these applications from accessing the internet?'. Then, you will type in the exclusions you want to allow access to, using wildcards and subnets as necessary. Be sure to click 'Add' after each entry. 

undefined

 

Exclusions

Exclusions are tied to the individual policy and allow you to specify IPv4 addresses, IPv6 addresses, or domain names the application can access. Changes made to exclusions do not require you to restart the application or deploy policies. 

Please Note: Any changes made to Internet Exclusions will automatically save and be applied to the policy.   

For more information on using automatic Learning mode to learn Ringfencing Exclusions, see our associated article How to use Ringfencing Internet Exclusions.   

Domain Name

To add a domain name to the 'Exclusions' list, choose 'text' from the 'Type' dropdown menu and then type in the text you wish to include in the tag. You can use wildcards in the text string. Then click the 'Add' button to add your chosen domain to the list below.  

When you are using wildcards in the domain name, be careful not to place a wildcard at the end of a domain name. An attacker could easily set up a domain with a name that begins the same as a trusted, legitimate address. (e.g. www.google.malicious_site.com) 

undefined

 

IPv4

To add an IPv4 address, choose 'IPv4' from the 'Type' dropdown menu and then type the address you want to include in the tag. Then click the 'Add' button to add your Value to the list below. 

undefined

 

IPv4 Subnet

To add an entire subnet of addresses, choose 'IPv4' from the 'Type' dropdown menu and then type the address of the subnet you want to include in the tag using CIDR notation. Then click the 'Add' button to add your subnet to the list below. 

 

undefined

IPv6

To add an IPv6 address, choose 'IPv6' from the 'Type' dropdown menu and then type the address you want to include in the tag, being sure to click the 'Add' button when you are finished. 

undefined

Changes to Exclusions happen in real time. You do not need to click 'Save'; you can exit out of the window.  

If you ever need to delete an item, select the delete button next to the Exclusion you want to remove. 

undefined

 

Tags

Tags are collections of items that can be applied to Network Control policies and Application Control policies with Network Ringfencing. They can contain strings, with or without wildcards, IPv4 addresses or IPv6 addresses. Tags allow for efficient, centralized management of allowed network domains and IP addresses, as they are shared across all of your child organizations. The same tag can be easily applied to multiple policies across your various clients. 

undefined

When you are applying Ringfencing™ to an Application that has previously not had Ringfencing™ applied, it is very important to place that specific Policy into a Monitor Only Status for about a week.  

Failure to place a new Ringfencing Policy into a Monitor Only Status for a week may possibly impact your day-to-day business operations. 

Ringfencing - File access

Ringfencing - Application Interaction

Ringfencing - Registry Activity

Ringfencing A New Application 

Ringfencing™ Internet Access in the Legacy Portal

View in Browser

Ringfencing™ enables you to block an application from accessing the internet altogether. Or you can specify only certain websites that you know this application needs to access.   

Custom Rules

Custom Rules are a legacy feature and when possible ThreatLocker recommends using Exclusions instead as they are more efficiently managed, do not require an application restart, and can be automatically learned. If you are applying Tags, they will need to be applied in the 'Custom Rules' tab.  

undefined

 

Exclusions

Exclusions are very efficient to manage. Here, you can specify IPv4 addresses, IPv6 addresses, or domain names the application can access. Changes made to exclusions do not require restarting the application or deploying policies. 

Please Note: Any changes made to Internet Exclusions will automatically save and be applied to the policy.   

For more information on using automatic Learning mode to learn Ringfencing Exclusions, see our associated article How to use Ringfencing Internet Exclusions.  

undefined

 

To set up internet Ringfencing™ restrictions on your own policy, select the checkbox next to 'Restrict these applications from accessing the internet, except for the below rules'. Then you will type in the exclusions you want to allow access to, and you can use wildcards as needed. Be sure to click 'Add' after each entry. 

undefined

 

Domain Name

To add a domain name to the 'Exclusions' list, choose 'text' from the 'Value' dropdown menu and then type in the text you wish to include in the tag. You can use wildcards in the text string. Then click the 'Add' button to add your Value to the list below.  

When you are using wildcards in the domain name, be careful not to place a wildcard at the end of a domain name. An attacker could easily set up a domain with a name that begins the same as a trusted, legitimate address. (e.g. www.google.malicious_site.com) 

 

undefined

 

IPv4

To add an IPv4 address, choose 'IPv4' from the 'Value' dropdown menu and then type the address you want to include in the tag. Then click the 'Add' button to add your Value to the list below. 

 

undefined

 

 

IPv4 Subnet

To add an entire subnet of addresses, choose 'IPv4' from the 'Value' dropdown menu and then type the address of the subnet you want to include in the tag using CIDR notation. Then click the 'Add' button to add your Value to the list below. 

undefined

 

IPv6

To add an IPv6 address, choose 'IPv6' from the 'Value' dropdown menu and then type the address you want to include in the tag, being sure to click the 'Add' button when you are finished. 

 

undefined

 

 

Changes to Exclusions happen in real-time. You do not need to click 'Save'; you can simply exit out of the window.  

If you ever need to delete an item, simply select the delete button next to the Exclusion you want to remove. 

undefined

 

 

When you are applying Ringfencing to an Application that has previously not had Ringfencing applied, it is very important to place that specific Policy into a Monitor Only Status for about a week.  

Failure to place a new Ringfencing Policy into a Monitor Only Status for a week may possibly impact your day-to-day business operations. 

 

Ringfencing - File access

Ringfencing - Application Interaction

Ringfencing - Registry Activity

Ringfencing A New Application

Was this article helpful?