Dynamic resolution of fully qualified domain name (FQDN) address objects in policy definitions

摘要

Dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions is provided. In some embodiments, dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions includes receiving a network policy that includes a domain name (e.g., the network policy can include a network security rule that is based on the domain name); and periodically updating Internet Protocol (IP) address information associated with the domain name by performing a Domain Name Server (DNS) query. In some embodiments, dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions includes dynamically performing a first local Domain Name Server (DNS) lookup for a first VSYS using a first DNS server on a first domain name for implementing a network policy based on the first domain name; dynamically performing a second local DNS lookup for a second VSYS using a second DNS server on the first domain name for implementing the network policy based on the first domain name; in which the network policy includes a network security rule that is based on the first domain name, and the network policy includes a network security rule that is based on the second domain name.

主权项

1. A system, comprising:
a processor configured to:
receive a network policy that includes a domain name, wherein the domain name includes a Fully Qualified Domain Name (FQDN);periodically update Internet Protocol (IP) address information associated with the domain name by performing a Domain Name Server (DNS) query, wherein update the IP address information comprises:
determine whether the domain name has been resolved;in the event that the domain name has not been resolved, attempt to resolve the domain name; andin the event that the domain name has been resolved, check whether the IP address information associated with the domain name has changed; andin the event that the network policy is to be enforced and the IP address information associated with the domain name has not been updated, dynamically perform a resolution of the domain name to enforce the network policy based on the domain name; and a memory coupled to the processor and configured to provide the processor with instructions.