Critical workstation firewall profile and allow url/domain

itans

Hi,

We have customer who has critical sensitive user data in use, and they need firewall rules that block all outbound and inbound traffic except allowed.

We can achieve this using "critical workstation" firewall profile and then allow needed ip-addresses.

However, one program (autodesk autocad) needs constant connection to lisencing service and they do not inform ip addresses for service, but only domains to allow.

Is there a way to allow domain/url instead of ip?

I noticed that there is "network isolation" section in profile settings, and there is "allowed domains" text box. But then it states that those rules only apply when using network isolation withsecure profile. I cannot find such profile. I tried to apply domains to that text box, but it is not working.

So, is it possible to allow specific domains instead of ip?

Sethu Laks

Hi @itans

Thank you for reaching out the WithSecure Community,

Yes, allowing traffic by domain or URL is possible, but only within the Network Isolation feature. Here’s why:

How Network Isolation Works

• The “Allowed domains” setting applies only when a device is in isolation mode.
• Isolation enforces strict firewall rules, blocking all traffic except to the domains you specify.
• DNS resolution is limited during isolation—only listed domains are reachable.
• Activating isolation remotely applies these rules through a secure isolation profile.

If Network Isolation isn’t active, domain entries won’t affect normal firewall traffic.

For a Strict Firewall Policy

• To block all unknown traffic (e.g., for a critical workstation), disable “Allow unknown inbound/outbound connections” in Fallback settings.
• Then configure standard firewall rules based on IPs, ports, protocols, or applications.
• Domain-based rules aren’t supported outside isolation, so for apps like AutoCAD, you’ll need to:
  • Allow the required IP addresses (if available),
  • Use a proxy (if the app supports it),
  • Or manage this at the network firewall level if DNS-based rules are supported.

Bottom line: Domain-based allowances only work in Network Isolation mode, not in standard firewall profiles. For regular operation, IP-based rules or network-level DNS filtering are the alternatives.

If you’d like more details or want to submit a feature request, let us know!

Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™ https://www.withsecure.com/