topic Re: Are wildcards in URL filtering supported? in Network Security

Are wildcards in URL filtering supported?

ryan14 — Fri, 21 Feb 2020 17:50:45 GMT

I am cleaning up my policy rules and wondering if an asterisk can be used in an ACP? I have read this post but it is from several years ago and not sure if it is still an issue:

https://community.cisco.com/t5/firepower/using-wildcard-in-url-filtering/td-p/3196891

Re: Are wildcards in URL filtering supported?

Muhammad Awais Khan — Tue, 21 Jan 2020 01:50:58 GMT

Hi,

I have seen * in SSL Decruption policies and it worked fine. For URL filtering rule, can do test shortly if some else didnt configure it recently 🙂

Re: Are wildcards in URL filtering supported?

nspasov — Tue, 21 Jan 2020 04:10:06 GMT

Wildcards are not supported in the ACP. However, for URL objects, an empty space equals any character, like a wildcard. Eg: cisco.com value will match www.cisco.com and also match www.sanfrancisco.com On the other hand, if you wanted to match on only cisco.com, then you can use .cisco.com or www.cisco.com

I hope this helps!

Thank you for rating helpful posts!

Re: Are wildcards in URL filtering supported?

Muhammad Awais Khan — Tue, 21 Jan 2020 06:27:17 GMT

Hi,

I just made a test on FMC 6.4.0.4, one time use plain URL without any Regex and URL blocking worked fine. When i used * in URL list, it is no more blocking that URL. Have a look on the attached snapshot

Re: Are wildcards in URL filtering supported?

ryan14 — Tue, 21 Jan 2020 12:46:19 GMT

That's what led to my confusion why my asterisk (used as a wild card) worked in my SSL policy but not in ACP.

Re: Are wildcards in URL filtering supported?

ryan14 — Tue, 21 Jan 2020 12:54:58 GMT

Is it best practice to use a . for matching subdomains?

Would cisco.com in the acp whitelist policy whitelist:

malicioussitecisco.com ?

.cisco.com would I think prevent the above from whitelisting the above site.

Re: Are wildcards in URL filtering supported?

Rokib Hasan — Thu, 21 Jan 2021 17:49:01 GMT

Firepower does support wildcard, but not this format like (*.microsoft.com) rather it support (.microsoft.com) format. You can create a URL object with value (.microsoft.com) for blocking all microsoft.com domain, it will block for support.microsoft.com/www.update.microsoft.com/or any other sub domain before .microsoft.com. So use dot(.) instead of asterisk(*) it will work fine. I am testing it in production environment.