Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
1
Replies

FMC/FTD - Wildcard URL objects and use of the leading dot

atsukane
Level 3
Level 3

‎11-07-2025 02:11 AM - edited ‎11-07-2025 02:12 AM

Hi All,

I've asked a question a few days ago on this 4 year old post but unsurprisingly haven't had any response so starting a new post. 

We had a requirement to allow wildcard access to a remote SQL server over tcp/1433, as the host portion of the destination URL can change dynamically.

I've tested with 2 rules, one using a wildcard network FQDN object  in "subdomain.domain.com" format (no leading "dot ."), and another rule using a wild card URL object with the leading dot, both have port specified to tcp/1433. 

The rule with network FQDN object does not work, but the rule with URL object is working fine.

Use of the leading dot in wildcard URL object was suggested by Rokib Hasan in this post Solved: Using wildcard in URL filtering - Cisco Community  

I then came across another post Wildcard domain matching on the FTD - Cisco Community  which is suggesting not to use the leading dot, so as a test I've removed the leading dot from the URL object, and confirmed the rule still works.

Gemini is telling me to use the leading dot

I haven't found an official doc from Cisco detailing the use of wildcard URL yet, and I'm pretty confused of the significance of the leading dot. 

atsukane_0-1762510006151.png

Thanks,

 

 

 

 

0 Helpful
1 Reply 1

Ben Weber
Level 1
Level 1

‎11-10-2025 03:33 AM

As you've found, there's not a huge difference between including the leading dot (.cisco.com) and excluding it (cisco.com) when specifying URL objects on the FTD. 

There is a difference, however, between the way that URL objects are treated compared to FQDN objects. FQDN objects operate at the DNS connection layer - when you create an FQDN object, the FTD queries the DNS server and caches the response.  Thus, FQDN objects must be resolvable by a DNS server (and cannot be wildcards). As per this guide:

Q: Is it possible to use wildcards, like *.microsoft.com?
A: No. FQDN must begin and end with a digit or letter. Only letters, digits, and hyphens are allowed as internal characters.

As to whether or not to use the leading dot, I personally find it simpler to create URL objects using the domain name (i.e. cisco.com) and let the matching algorithm work its magic. Both formats should match the root domain and all subdomains - dealer's choice.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card