The Threat Prevention - Network is configured on your DNS Server(s) and forwards DNS queries to the HEIMDAL DNS Resolvers which it is responsible for filtering all network packages based on DNS request origin and destination. The engine blocks malicious packages from communicating across the network prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration, and prevents data loss or network infections.
The DNS queries are not solved or the traffic is not being filtered
BEHAVIOR: the DNS queries are not solved or the DNS traffic is not being filtered.
SOLUTION: this issue can be troubleshot by checking the flow below.
1. In the HEIMDAL Dashboard, under Network Settings -> Threat Prevention, make sure you have added your Public IP Address to the Access Rules list:
To make sure you are using the correct Public IP Address, go on the DNS Server, open a browser, access google.com and type What is my IP Address? and see the result. You should get something similar to the following:
In this case, the Public IP Address is 188.8.131.52 and this IP Address needs to be added as an Access Rule.
2. On the DNS Server, open Server Manager -> DNS, right-click on the DNS Server, and hit Properties. In the Forwarders tab, make sure you are using the HEIMDAL Security DNS Resolvers (184.108.40.206 and 220.127.116.11):
The HEIMDAL LogAgent does not report the hostnames in the HEIMDAL Dashboard
BEHAVIOR: the HEIMDAL LogAgent does not report the hostnames in the HEIMDAL Dashboard
SOLUTION: the HEIMDAL LogAgent is able to pick up and report the hostnames of the endpoints that are listed in the Forward Lookup Zone. If the endpoint is not listed there, the endpoint will be listed with a N/A hostname, but with its IP Address.
If none of the steps above fix the issue, please reach out to the HEIMDAL Security Support Team.