# Default Preferences > From v2.9.0 of DiscrimiNAT, certain behavioural preferences can be set at global level per deployment. These are defined in JSON format in an SSM Parameter named `DiscrimiNAT` (or `DiscrimiNAT_`) (case-sensitive) and the default value if not defined or not accessible is: From v2.9.0 of DiscrimiNAT, certain behavioural preferences can be set at global level per deployment. These are defined in JSON format in an SSM Parameter named `DiscrimiNAT` (or `DiscrimiNAT_`) (case-sensitive) and the default value if not defined or not accessible is: ```json { "%default": { "wildcard_exposure": "prohibit_public_suffix", "flow_log_verbosity": "full", "see_thru": null, "x509_crls": "ignore" } } ``` :::tip Preferences you wish to leave at defaults can be excluded. Also, any additional JSON keys will simply be ignored. ::: :::caution Preferences are refreshed **once every five minutes** from the SSM Parameter. ::: ## Preferences ### wildcard_exposure Generally, `?` represents one character match exactly which isn't a `.`, and `*` matches any number of characters except `.`. #### Options `none`: no wildcard characters such as `?` or `*` are allowed at all `prohibit_asterisk`: `?` is allowed; `*` is not allowed `prohibit_public_suffix`: `?` is allowed; `*` is allowed as long as the possibility of resulting domain names are not publicly registrable (aka Effective TLDs). For example, `*.github.com` is okay but `*.github.io` is not. Another example would be `*.cloudflare.net` being effectively public. This is determined using [Mozilla's Public Suffix List (PSL)](https://publicsuffix.org/) bundled into DiscrimiNAT. The version of the PSL bundled will be in the [Release Notes](/docs/discriminat/aws/release-notes/) and will be updated with every release. :::tip If a wildcard pattern is not accepted because it could have led to a Public Suffix List match, a _config_ log message like the following will be emitted: ``{addr: "*.github.io", cat: "addr", outcome: "publicsuffix[.]org list matched with `github.io`"}`` ::: `nuclear`: `?` is allowed; `*` is allowed with no public suffix list safeguard #### Default `prohibit_public_suffix` ### flow_log_verbosity This setting only impacts the _flow_ logs. _config_ logs verbosity and behaviour will not be affected. #### Options `full`: all _allowed_ and _disallowed_ flows for both the client requests and the server responses are logged in the _flow_ logs `only_disallowed`: only _disallowed_ flows will be logged `none`: no logs at all #### Default `full` ### see_thru The `see_thru` non-blocking, monitoring mode can be enabled for an entire deployment rather than per Security Group from this level. This is only the default and does not override a _see-thru_ mode defined at a more granular level – even if the one the granular level may have expired. :::tip See [see-thru](/docs/discriminat/aws/config-ref/#see-thru-mode) mode docs for understanding this non-blocking, monitoring mode in detail. ::: #### Options `yyyy-mm-dd` formatted date `null` to not enable _see_thru_ at the default level. `null` value to be specified without quotes or this top-level key can be left out completely. #### Default `null` ### x509_crls #### Options `auto_allow`: Automatically allow plaintext HTTP CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted. `ignore`: Do not allow CRL Endpoints automatically. #### Default `ignore` ## Examples It may be useful to turn on the non-blocking, monitoring `see_thru` mode on until a specified date on a new deployment of DiscrimiNAT. This would ensure apps continue to work while data is captured for building an allowlist from eventually: `{"%default":{"see_thru":"2026-11-19"}}` :::tip Also see [building an allowlist from scratch video recipe](/docs/discriminat/aws/logs-ref/#building-an-allowlist-from-scratch-video-version). ::: Ultimately, when allowlists are built and enforced, you may want to turn off _flow_ logs for _allowed_ connections, saving on logging costs: `{"%default":{"flow_log_verbosity":"only_disallowed"}}` To also enable automatic allowing of X509 CRL Endpoints: `{"%default":{"flow_log_verbosity":"only_disallowed","x509_crls":"auto_allow"}}` ## System System-level preferences are passed directly to VM instance creation, are stored as files on the operating system disk, and are only read on start. These are placed within the instance because they represent critical customer choices that must be respected whether external APIs are accessible or not and the right IAM permissions on the profile are assigned or not. ### BYOL A licence key supplied by Chaser Support if using the [BYOL version](https://aws.amazon.com/marketplace/pp/prodview-7hafqjdkvnfyk) from AWS Marketplace. The pay as you go version does not require this. The value can be passed to the `byol` variable in our [Terraform modules](https://registry.terraform.io/namespaces/ChaserSystems) and [CloudFormation templates](https://github.com/orgs/ChaserSystems/repositories?q=cloudformation). The contents are Base64 decoded and written to the path `/etc/chaser/licence-key.der`. ### ASHR Automated System Health Reporting. 10 minutes after boot and then at around 0200 UTC every day, each instance of DiscrimiNAT collects its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and uploads it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS. Access to this information is immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also get to learn about how users interact with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls. We understand if certain environments within your deployment would rather not have this turned on. To disable it, a file at the path `/etc/chaser/disable_automated-system-health-reporting` should exist. This can be achieved by setting the `ashr` variable to `false` in our [Terraform modules](https://registry.terraform.io/namespaces/ChaserSystems).