Exception Rule for Egress FQDN Filter

Exception Rule is a system-wide mode. Exception Rule only applies to Allowlist.

By default, the Exception Rule is enabled, as shown.

fqdn-enable-edit

When Exception Rule is enabled, packets passing through the gateway without an SNI field are allowed to pass. This usually happens when an application uses hard-coded destination IP addresses for HTTPS connection instead of domain names.

When Exception Rule is disabled, packets passing through the gateway without SNI field are dropped unless the specific destination IP address of the packet is listed in the Whitelist. The use case could be that certain old applications use hard coded destination IP address to access external services.

To disable the Exception Rule:

  1. Under Egress FQDN Filter, click Global Configs.

    400

  1. Clear the Exception Rule checkbox.

  2. Click Close.

If Blacklist is configured, client hello packets without SNI are allowed to pass as it should not match any rules.