FTD policy to allow access when wanting to use *wildcard FDQNs?

NetworkMonkey101 · ‎02-16-2024

Hi all,

I want to create an allow policy to allow wildcard FDQN domains such as *.download.windowsupdate.com

This is not a function available in FTD/FMC.. It have seen something about using Utilising URL Filtering Objects to control Wildcard FQDN's.. any guides on how to do this?

MHM Cisco World · ‎02-16-2024

What excatly you want to allow

The whole domain?

Specific url?

What is mgmt you use fmc or fdm?

MHM

NetworkMonkey101 · ‎02-16-2024

These are to allow updates to specific vendors such as MS, they have said to allow *.download.windowsupdate.com so I assume this is the whole domain and sub domain of the above..

I am migrating the rules from another vendor firewall which was able to create *wildcard FDQNs as an object.

Using FMC and not able to create an allow rule using this method..

Rob Ingram · ‎02-16-2024

@NetworkMonkey101 what license do you have?

You could use the applications for Windows/Microsoft updates in the access control rule rather than use FQDN.

NetworkMonkey101 · ‎02-16-2024

Found a couple of methods, which would be best?

2. Create multiple URL objects for granular control:

Generate individual URL objects for each subdomain you want to restrict. This offers fine-grained control but can be tedious for numerous subdomains.
3. Utilize URL categories for broader control:

Explore Cisco's predefined URL categories, which group websites based on content type. If a category encompasses the entire domain but excludes the specific subdomains you want to allow, use this category in your policy.
Create an "allow" rule for the desired category and a "deny" rule for any other category to effectively allow the specific subdomains you need.

NetworkMonkey101 · ‎02-16-2024

Would this be a good workaround?

Creating multiple URL objects for granular control over FQDNs in Cisco FMC involves defining individual objects for each specific subdomain you want to manage access to. Here's a step-by-step guide:

1. Accessing the FMC User Interface:

Log in to the Cisco FMC web interface using your administrator credentials.
2. Navigating to URL Objects:

Go to Objects > Security > URL Objects.
3. Creating a New URL Object:

Click the Add button.
In the Name field, enter a descriptive name for the URL object (e.g., "allow_[invalid URL removed]").
In the Value field, enter the complete subdomain URL using the following format: https://*.subdomain1.example.com. The asterisk (*) serves as a wildcard, matching any character within the subdomain portion.
4. Repeating for Additional Subdomains:

Follow steps 3-4 to create individual URL objects for each subdomain you want to control. Remember to use unique names and the appropriate subdomain URL structure in each object.
5. Utilizing URL Objects in Policies:

Once you've created the necessary URL objects, navigate to Policies > Access Policies.
Edit the relevant policy or create a new one to manage access rules.
In the policy rule, under the Source URL section, select the "Match Any" operator.
Click the Add button and choose URL Object.
Select the appropriate URL object you created for the specific subdomain you want to allow or deny access to.
6. Saving and Deploying the Policy:

Review your policy configuration to ensure accuracy.
Click Save to apply the changes.
Deploy the policy to the affected devices or network segments.
Important Notes:

Remember that using wildcards like "*" in URL objects only matches characters within the subdomain, not the main domain name.
Exercise caution when using this approach, as it can unintentionally allow access to unexpected subdomains if not configured carefully.
For more complex scenarios or advanced configurations, consult the official Cisco documentation or seek expert guidance.
By following these steps and considering the potential implications, you can effectively create multiple URL objects to achieve granular control over specific subdomains within your Cisco FMC environment.

MHM Cisco World · ‎02-16-2024

You can

Add url list as text and feed it as SI URL list

https://rayka-co.com/lesson/cisco-ftd-security-intelligence/

Marius Gunnerud · ‎02-17-2024

I suggest using URL instead of FQDN. so if you create a URL object for download.windowsupdate.com you will be able to match on any URL that has download.windowsupdate.com in the URL. So, for example, you would match on server1.download.windowsupdate.com but you would not match on server1download.windowsupdate.com.

Hope that makes sense.

--
Please remember to select a correct answer and rate helpful posts