Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1377
Views
0
Helpful
1
Replies

Should blocking URL ign.com also blocks verisign.com? Seeing conflict with Cisco documentation...

Jack G
Level 1
Level 1

‎10-05-2020 08:46 PM

I just tested blocking ign.com, but I can confirm it does not block versign.com. Thoughts? I seem to be in conflict with the documentation below. I'm testing with FMC and FTD 6.6. Screenshots attached below. When I go to versign.com it see it's matching the allow rule.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/url_filtering.html#ID-2189-0000027e

 

To determine whether network traffic matches a URL condition, the system performs a simple substring match. Matching is NOT anchored at the top level domain. If the allowed string matches any part of the requested URL, the URLs are considered to match.

Example 1:

You want to explicitly block ign.com (a gaming site). However, substring matching means that blocking ign.com also blocks verisign.com.

Preview file
66 KB
Preview file
181 KB
0 Helpful
1 Reply 1

Mohammed al Baqari
Level 11
Level 11

‎10-05-2020 11:26 PM

Hi,

You get it right, blocking ign.com will block all the root domain which is (
ign.com) and all sub domains (*.ign.com). But it will not block root
domains that include the keyword (ign.com).

It is not *ign.com but it is *.ign.com. Hope this is helpful.

**** please remember to rate useful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card