FQDN with wildcards?

Eric Snijders · ‎11-22-2019

So, we have the need to "whitelist" several domains with wildcards. Now i have learned FQDN objects can't have wildcards in them, but what is the way to go if i need to whitelist wildcard domains for HTTPS traffic, in this case?

Karsten Iwen · ‎11-24-2019

The FQDN-based ACLs on the ASA can't do that. But you can do it in the firepower service-module and also on Firepower Thread Defense (FTD).

dustinap · ‎01-24-2021

Is this confirmed to be true or has it been tested to work with " wildcard " FQDN?

I read and linked a Q / A below from the cisco documentation stating that it is not an available feature for 6.3.0, and another here stating the same for version 6.6.

6.3.0: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214698-understand-fqdn-feature-on-firepower-thr.html

6.6.0: https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/reusable_objects.html#ID-2243-000000f2

Q: Is it possible to use wildcards, like *.microsoft.com?
A: No. FQDN must begin and end with a digit or letter. Only letters, digits, and hyphens are allowed as internal characters.

Karsten Iwen · ‎01-24-2021

On FTD/Firepower Service module you would use the URL-Filter for that. Although you can't use "*.example.com", with the matching logic, if you configure "example.com" to be matched, it matches also "anything.example.com".