https://community.cisco.com/t5/network-security/block-wildcard/m-p/5060650#M1110888 <P>Hi Team,</P><P>We have a requirement to block wildcard domain for example *.xx.xx. As this is wildcard we dont see an option to block it in FTD(Managed using FMC). Please suggest a best way to block this wildcard in FTD.&nbsp;</P><P>Regards,</P><P>Sanjay S</P> Mon, 08 Apr 2024 14:56:57 GMT ssan239 2024-04-08T14:56:57Z https://community.cisco.com/t5/network-security/block-wildcard/m-p/5060650#M1110888 <P>Hi Team,</P><P>We have a requirement to block wildcard domain for example *.xx.xx. As this is wildcard we dont see an option to block it in FTD(Managed using FMC). Please suggest a best way to block this wildcard in FTD.&nbsp;</P><P>Regards,</P><P>Sanjay S</P> Mon, 08 Apr 2024 14:56:57 GMT https://community.cisco.com/t5/network-security/block-wildcard/m-p/5060650#M1110888 ssan239 2024-04-08T14:56:57Z https://community.cisco.com/t5/network-security/block-wildcard/m-p/5060697#M1110909 <P>You can use SI dns policy' you can in notepad add domain then fed it to FMC and use in ACP SI.</P> <P>Did you try that?</P> <P>MHM</P> Mon, 08 Apr 2024 15:28:09 GMT https://community.cisco.com/t5/network-security/block-wildcard/m-p/5060697#M1110909 MHM Cisco World 2024-04-08T15:28:09Z https://community.cisco.com/t5/network-security/block-wildcard/m-p/5061172#M1110918 <P>Is this the process your speaking of?&nbsp;<A href="https://safe.menlosecurity.com/doc/docview/viewer/docNDCCEB78C228273e1953362d6e58abe0aede2f9b72dfcc5bdc716e33a263d9ea0ed0150b5bedf" target="_blank">https://safe.menlosecurity.com/doc/docview/viewer/docNDCCEB78C228273e1953362d6e58abe0aede2f9b72dfcc5bdc716e33a263d9ea0ed0150b5bedf</A>.</P><P>We do this for our block list</P> Mon, 08 Apr 2024 21:20:59 GMT https://community.cisco.com/t5/network-security/block-wildcard/m-p/5061172#M1110918 Eric R. Jones 2024-04-08T21:20:59Z https://community.cisco.com/t5/network-security/block-wildcard/m-p/5063483#M1110942 <P>There is a good doc on this:<BR /><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214852-block-dns-with-security-intelligence-usi.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214852-block-dns-with-security-intelligence-usi.html</A></P><P>The document claims that blocking a domain also blocks sub-domains, although I'm not sure. This needs to be tested.</P><P>&nbsp;</P> Tue, 09 Apr 2024 17:43:52 GMT https://community.cisco.com/t5/network-security/block-wildcard/m-p/5063483#M1110942 tvotna 2024-04-09T17:43:52Z https://community.cisco.com/t5/network-security/block-wildcard/m-p/5064560#M1110949 <P>The URL in FTD is a string match.&nbsp; So, for example, blocking facebook.com will also block chat.facebook.com.&nbsp; Add a deny statement at the top of the ACP blocking the base domain and this should also block subdomains.</P> Wed, 10 Apr 2024 12:28:29 GMT https://community.cisco.com/t5/network-security/block-wildcard/m-p/5064560#M1110949 Marius Gunnerud 2024-04-10T12:28:29Z https://community.cisco.com/t5/network-security/block-wildcard/m-p/5064899#M1110954 <P>IMO, manual URLF for HTTPS would require either Decryption Policy or TLS Server Identity Discovery for TLS1.3 and matching by CN instead of host portion of the URL itself. This should also work, but there is a chance to face with CSCwi76002 or CSCwf35573 or something similar.</P><P>&nbsp;</P> Wed, 10 Apr 2024 15:15:27 GMT https://community.cisco.com/t5/network-security/block-wildcard/m-p/5064899#M1110954 tvotna 2024-04-10T15:15:27Z https://community.cisco.com/t5/network-security/block-wildcard/m-p/5065034#M1110959 <P>I would agree if you are going to inspect the packet details.&nbsp; However, the poster is only looking to block the URL / domain and subdomains which is not encrypted in the HTTPS header.</P> Wed, 10 Apr 2024 16:55:46 GMT https://community.cisco.com/t5/network-security/block-wildcard/m-p/5065034#M1110959 Marius Gunnerud 2024-04-10T16:55:46Z https://community.cisco.com/t5/network-security/block-wildcard/m-p/5066045#M1110999 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/319690">@Marius Gunnerud</a>, HTTP header is of course encrypted in both TLS1.2 and TLS1.3. You mean SNI extension in the Client Hello probably, which is not encrypted, right? My understanding of official documentation and TACSEC-2002 (Las Vegas 2023) is that manual URL filtering (URL object in ACP rule) doesn't use SNI and relies on server certificate CN instead, if decryption policy is absent:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="URLF.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/215519iAE23674FEB804255/image-size/large?v=v2&amp;px=999" role="button" title="URLF.jpg" alt="URLF.jpg" /></span></P><P>&nbsp;</P><P>Documentation:</P><P class=""><EM>To filter encrypted traffic, the system determines the requested URL based on information passed during the <SPAN class="">TLS/SSL</SPAN> handshake: the subject common name in the public key certificate used to encrypt the traffic.</EM></P><P class=""><EM>HTTPS filtering, unlike HTTP filtering, disregards subdomains within the subject common name. Do not include subdomain information when manually filtering HTTPS URLs in access control<SPAN class=""> or QoS</SPAN> policies. For example, use example.com rather than <A href="http://www.example.com" target="_blank" rel="noopener">www.example.com</A>.</EM></P><P class="">On the other hand, from TACSEC-2002 it appears that Security Intelligence URL lists and feeds can use SNI, but this is not documented officially.</P><P class="">Documentation is awful.</P><P class="">&nbsp;</P> Thu, 11 Apr 2024 10:00:30 GMT https://community.cisco.com/t5/network-security/block-wildcard/m-p/5066045#M1110999 tvotna 2024-04-11T10:00:30Z