topic Re: Using wildcard in URL filtering in Network Security

Using wildcard in URL filtering

lyutov_dv — Fri, 21 Feb 2020 14:28:05 GMT

hi,

How can i block all connections to *.microsoft.com (for example)?

Can i use custom URL object *.microsoft.com or firepower doesnt support wildcards?

Re: Using wildcard in URL filtering

Marvin Rhoads — Wed, 11 Oct 2017 11:56:03 GMT

Firepower support wilcards in URL objects.

See the screenshot below taken from my FMC 6.2.2:

Re: Using wildcard in URL filtering

lyutov_dv — Wed, 11 Oct 2017 11:59:40 GMT

I can create an object but it doesn't work in access rules

Re: Using wildcard in URL filtering

Sheraz.Salim — Wed, 11 Oct 2017 12:54:08 GMT

I remember not long ago opened a cisco tac with similar issue. and TAC advise to use a WSA. according to them FMC/Firepower sensor do not support wild card in URL filtering.

Re: Using wildcard in URL filtering

Marvin Rhoads — Wed, 11 Oct 2017 12:57:00 GMT

Sorry about that - you are correct. I found a technote mentioning this as well:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html#anc14

I tested on my FMC just now and found the same. However if I instead use microsoft.com instead of *.microsoft.com as my url object it works due to substring matching as described in the technote.

Re: Using wildcard in URL filtering

lyutov_dv — Wed, 11 Oct 2017 13:08:16 GMT

Yes I found this technote...

it works but it's not the same because for example oldmicrosoft.com will be blocked as well, but it's another domain

Re: Using wildcard in URL filtering

Marvin Rhoads — Wed, 11 Oct 2017 13:17:32 GMT

Quite true - that is a limitation of the current platform.

I will remember to bring this up with the Cisco engineers at next week's Security team event.

Re: Using wildcard in URL filtering

brian.emil.harris — Wed, 21 Feb 2018 23:37:53 GMT

So, what was the resolution to this?

We have a URL blacklist, with, as an example, 777.com in it.

777.com blocks, but www.777.com does not.

Re: Using wildcard in URL filtering

brian.emil.harris — Thu, 22 Feb 2018 15:24:17 GMT

So, it appears the substring matching works if I create an actual URL object, then block it.

Substring matching, however, does not work, when populating a blacklist/whitelist in the Security Intelligence URL Lists and Feeds.

Re: Using wildcard in URL filtering

John Ventura — Fri, 06 Apr 2018 17:19:48 GMT

This document might be helpful FTD URL Filtering - How it works?

Re: Using wildcard in URL filtering

evan.chadwick1 — Wed, 01 Aug 2018 21:43:27 GMT

what came of this.
IF Firepower can not process wildcard, why does the product allow them to be created. Surely its not that hard to detect a wildcard and not save it and put up a screen that advises so?

Re: Using wildcard in URL filtering

Rokib Hasan — Thu, 21 Jan 2021 18:09:45 GMT

Firepower does support wildcard, but not this format like (*.microsoft.com) rather it support (.microsoft.com) format. You can create a URL object with value (.microsoft.com) for blocking all microsoft.com domain, it will block for support.microsoft.com/ www.update.microsoft.com/ or any other sub domain after .microsoft.com. So use dot(.) instead of asterisk(*) it will work fine. I am testing it in production environment.

Re: Using wildcard in URL filtering

bcoverstone — Thu, 16 Sep 2021 22:59:02 GMT

In FDM, all sub-websites match by just using the base domain name.

Therefore, just enter microsoft.com

Do not include an asterisk (i.e. *.microsoft.com)

Do not include a dot (i.e. .microsoft.com)

This will match microsoft.com, abc.microsoft.com, and abc.update.microsoft.com

However, notmicrosoft.com will not match

I have been testing this successfully. Here's the reference:

Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3 - Objects [Cisco Firepower NGFW] - Cisco

Look under Configuring URL Objects and Groups

I'm using version 7.0.0.1 with FDM, I don't know if previous 6.x versions worked the same way.