Solved: Blocking sub domain in URL filtering

InTheJuniverse · ‎12-26-2018

Hello

We are on Cisco FMC 2500, Code version 6.2.3

Is it possible to

1) Block url1.example.com and allow www.example.com?

2) Allow url2.example.com, block url1.example.com, and allow www.example.com?

3) Allow child domains and block parent domain?

I have read documentation that this is not possible, but trying forums just in case :)

Thank you very much.

Abheesh Kumar · ‎12-26-2018

Hi,

Try creating like below screenshot, allow the subdomians first and then block the parent domain.

FMC will not support to block wildcard

Create allow rule with url1.example.com then create block rule for example.com

This way you can achive this but you need to specify all you child domains.

Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

InTheJuniverse · ‎12-26-2018

Abhishek, thank you.

Our policies are designed such that the Global Whitelist / Blacklist Objects are inherited to every Domain and applied first thru section 'Mandatory Global Policies', followed by "Default DomainName policy".

So, a policy into Child domain will look something like this (please check screen shot)

Just before reading your response, I created a similar policy and awaiting user confirmation.

I am assuming this will work because the "subdomain" sites I want to block are not allowed explicitly in Global Policy,

Waiting for user confirmation.

Thank you in advance.

View solution in original post

Sheraz.Salim · ‎12-26-2018

this is not possible. we had similar issue open TAC and TAC advise to use cisco web security appliance. (WSA).

please do not forget to rate.

Abheesh Kumar · ‎12-26-2018

Hi,

Try creating like below screenshot, allow the subdomians first and then block the parent domain.

FMC will not support to block wildcard

Create allow rule with url1.example.com then create block rule for example.com

This way you can achive this but you need to specify all you child domains.

Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question

InTheJuniverse · ‎12-26-2018

Abhishek, thank you.

Our policies are designed such that the Global Whitelist / Blacklist Objects are inherited to every Domain and applied first thru section 'Mandatory Global Policies', followed by "Default DomainName policy".

So, a policy into Child domain will look something like this (please check screen shot)

Just before reading your response, I created a similar policy and awaiting user confirmation.

I am assuming this will work because the "subdomain" sites I want to block are not allowed explicitly in Global Policy,

Waiting for user confirmation.

Thank you in advance.

Abheesh Kumar · ‎12-26-2018

If this doesn't work, create a URL object and try creating specific rules. Anyway plz reply with the user confirmation

Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question

InTheJuniverse · ‎12-27-2018

It works this way, thanks.

I got another problem with http and https blocking, but I am going to try something and get back.

Thank you.

Abheesh Kumar · ‎12-27-2018

Try with url without specifying http/https, any way let us know with your output.

HTH
Abheesh

InTheJuniverse · ‎12-28-2018

Ok problem resolved. Using Objects or URLs in the ACP made no difference.