Solved: Using wildcard in URL filtering

lyutov_dv · ‎10-11-2017

hi,

How can i block all connections to *.microsoft.com (for example)?

Can i use custom URL object *.microsoft.com or firepower doesnt support wildcards?

Sheraz.Salim · ‎10-11-2017

I remember not long ago opened a cisco tac with similar issue. and TAC advise to use a WSA. according to them FMC/Firepower sensor do not support wild card in URL filtering.

please do not forget to rate.

View solution in original post

Marvin Rhoads · ‎10-11-2017

Sorry about that - you are correct. I found a technote mentioning this as well:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html#anc14

I tested on my FMC just now and found the same. However if I instead use microsoft.com instead of *.microsoft.com as my url object it works due to substring matching as described in the technote.

View solution in original post

Marvin Rhoads · ‎10-11-2017

Firepower support wilcards in URL objects.

See the screenshot below taken from my FMC 6.2.2:

lyutov_dv · ‎10-11-2017

I can create an object but it doesn't work in access rules

Marvin Rhoads · ‎10-11-2017

Sorry about that - you are correct. I found a technote mentioning this as well:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html#anc14

I tested on my FMC just now and found the same. However if I instead use microsoft.com instead of *.microsoft.com as my url object it works due to substring matching as described in the technote.

lyutov_dv · ‎10-11-2017

Yes I found this technote...

it works but it's not the same because for example oldmicrosoft.com will be blocked as well, but it's another domain

Marvin Rhoads · ‎10-11-2017

Quite true - that is a limitation of the current platform.

I will remember to bring this up with the Cisco engineers at next week's Security team event.

brian.emil.harris · ‎02-21-2018

So, what was the resolution to this?

We have a URL blacklist, with, as an example, 777.com in it.

777.com blocks, but www.777.com does not.

brian.emil.harris · ‎02-22-2018

So, it appears the substring matching works if I create an actual URL object, then block it.

Substring matching, however, does not work, when populating a blacklist/whitelist in the Security Intelligence URL Lists and Feeds.

John Ventura · ‎04-06-2018

This document might be helpful FTD URL Filtering - How it works?

Sheraz.Salim · ‎10-11-2017

I remember not long ago opened a cisco tac with similar issue. and TAC advise to use a WSA. according to them FMC/Firepower sensor do not support wild card in URL filtering.

please do not forget to rate.

evan.chadwick1 · ‎08-01-2018

what came of this.
IF Firepower can not process wildcard, why does the product allow them to be created. Surely its not that hard to detect a wildcard and not save it and put up a screen that advises so?

Rokib Hasan · ‎01-21-2021

Firepower does support wildcard, but not this format like (*.microsoft.com) rather it support (.microsoft.com) format. You can create a URL object with value (.microsoft.com) for blocking all microsoft.com domain, it will block for support.microsoft.com/ www.update.microsoft.com/ or any other sub domain after .microsoft.com. So use dot(.) instead of asterisk(*) it will work fine. I am testing it in production environment.

bcoverstone · ‎09-16-2021

In FDM, all sub-websites match by just using the base domain name.

Therefore, just enter microsoft.com

Do not include an asterisk (i.e. *.microsoft.com)

Do not include a dot (i.e. .microsoft.com)

This will match microsoft.com, abc.microsoft.com, and abc.update.microsoft.com

However, notmicrosoft.com will not match

I have been testing this successfully. Here's the reference:

Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3 - Objects [Cisco Firepower NGFW] - Cisco

Look under Configuring URL Objects and Groups

I'm using version 7.0.0.1 with FDM, I don't know if previous 6.x versions worked the same way.