Destination Lists are an update to the traditional Domain Lists you're probably used to seeing and as part of an effort to improve the way in which you interact with the dashboard and to make thing easier to use, we're going to be updating our dashboard and replacing Domain Lists with Destination Allow and Block Lists.
For existing customers, a migration process will take place that maps your existing Domain Lists to Destination Block or Allow lists, depending on how they were configured. The migration is pretty simple:
- if a domain list was set so all domains on that list were to be 'blocked', those domains have been moved into a 'Destination Block List'
- If a domain list was set so all domains on that list were to be 'allowed', those domains have been moved into a 'Destination Allow List'
In addition, we're rolling out the ability to Allow IP addresses or CIDR IP ranges, specifically for the Roaming Client with the IP Layer Enforcement feature enabled. This ensures that specific IPs or blocks of IPs will not be blocked when the feature is enabled. For more information on this, see the "Allowing an IP Address or CIDR of IP Addresses" section below.
Using a Destination List
For new customers, the purpose of these lists is for you to block or allow domains. To create a new block or allow list, navigate to Policy Settings > Destination Lists and click Add A New Destination List.
Give your list a descriptive name, then add any domains you'd like to the list. Keep in mind that subdomains are implied by a wildcard so "domain.com" will cover sub.domain.com, "another-subdomain.domain.com" and so on. It's important to remember this when you're trying to block smaller chunks of larger domains as well. Click Save to confirm the change.
You can also add or modify a Destination Block/Allow List from the Policy Wizard, which is also where you apply the Destination Block/Allow List to a group of Identities. It's under Step 2 of Policies, either when creating a new Policy or editing an existing one:
Allowing an IP Address or CIDR of IP Addresses – Roaming Client Only
NOTE: This feature is in Limited Availability and not available for all customers. It requires the Roaming Client be installed on the identities for this feature in the policy. If you are running IP Layer Enforcement and would like to try this feature out, please contact email@example.com to see if you are eligible.
For Destination Allow Lists only (for now), you can add an IP address or a block of IP addresses. The format for the block of IP addresses is standard CIDR notation.
The size of the CIDR cannot exceed a /8, otherwise, you'll receive this error:
If you enter an invalid subnet mask, such as 126.96.36.199/1000000, the IP will be added but the network notation will be ignored.
Otherwise, add any destination that you'd like to ensure isn't blocked now or in the future: