Controlling Traffic Based on Security Group Tag or Dynamic Attributes
Dynamic Attributes conditions in DNS rules allow you to control traffic based on security group tag or other dynamic attributes. To use these attributes, you must apply security group tags to traffic in your network, or create the dynamic attribute objects you need using the API or the Cisco Secure Dynamic Attributes Connector. For more information about enabling dynamic attributes, see Dynamic Attributes Rule Conditions.
When you configure dynamic attributes for a DNS rule, objects of the same type in the same source or destination list are ORed together and objects of different types are ANDed together. For example, if you select both a security group tag, and a dynamic object that lists IP addresses, the rule matches if traffic with the tag originates from (or is destined to) one of those IP addresses.
Procedure
Step 1 | In the DNS rule editor, click Dynamic Attributes. | ||
Step 2 | Select the objects you want to use, and click either Add Sources or Add Destinations. Initially, all Dynamic Objects and Security Group Tags are listed when you open the Dynamic Attributes tab. You can deselect an option to remove those objects from the list. You can also start typing in the search box to find the object you want. You can use these objects to identify the source of the connection, the destination, or both.
| ||
Step 3 | Click the DNS tab and add the lists or feeds that include the DNS names you are controlling. For more information, see Controlling Traffic Based on DNS List or Feed. | ||
Step 4 | Save or continue editing the rule. |
What to do next
-
Deploy configuration changes.