Domain groups

Protected workloads in a Zero Trust network need continued access to fixes, patches, and upgrades. Enabling update management using IP addresses can be cumbersome because IP addresses change. Grouping update servers by their Fully qualified domain names (FQDNs) can make update management easy.

Use Domain groups in Xshield to logically group domains by the purpose they serve and then allow Workload groups to download and install updates from the selected Domains groups. For example, create a group of Microsoft update domains Microsoft updates and create Access policies with Workload groups that use Microsoft subscriptions. Similarly, create another Domain group Linux updates to update Linux workloads.

When Access policies are enforced between Workload groups and Domain groups, workloads cannot connect to the domains that are not part of the Domain groups. To ensure continued use of Access policies with Domain groups, the Xshield agents on the workloads update the IP addresses of the domains in the Domain groups in real-time.

For domains that redirect requests, you must add both the original domain and domain to which the requests are redirected.

Domain groups are distinctly visible on Visualizer. You can filter traffic by Domain groups on Visualizer and Flow Explorer.

Ways to create Domain groups

Domain groups can be created in one of the following ways:

  •   Add domain groups - you are likely to do this on fresh deployments where assets did not visit domains. 

    Anticipate and add multiple domains to a Domain group by the purpose they serve.

  • Create Domain groups from 'visited' domains - 'visited' domains are the domains that workloads and endpoints have already visited before or after you placed them in the Observe mode with policies. 

    Select multiple domains by the purpose they serve and add them to a Domain group.

Add Domain groups

Create multiple Domain groups to group domains by the purposes they serve. 

  1. Go to Assets & Groups > Domain groups.

  2. Click Create > Domain group.

  3. In the Name text box, enter a name for the Domain group.

  4. Add a useful description.

  5. In the Domain listing, add a domain. For example, *.windowsupdate.com.

    Click Add to add more domains.

  6. Click Save.

Create Domain groups from 'visited' domains

To create Domain groups easily and quickly, select and add domains to which connections have been made from the assets in your network.

All sub-domains of a top-level domain that were visited are grouped as one entry.

  1. Go to Assets & Groups > Domain groups.

  2. From the filter on the top-right corner of the page, select Observed Domains.

  3. In the Search box, enter a keyword to filter the list of visited domains.

  4. Select the domains you want to group.

  5. Click Create Domain Group.

  6. In the Name text box, enter a name for the Domain group.

  7. Add a useful description.

  8. Click > for a domain and select the top-level domain or only some sub-domains.

  9. Click Save.

Delete Domain groups

Deleting a Domain group deletes the related Access policies from the Workload groups. So, delete Domain groups from Xshield wisely.

Next steps

  • Apply policy recommendations for traffic from Workload groups to Domain groups.

  • Create Access policies between Domain groups and Workload groups. Read Access policies for more.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.