cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

12390
Views
30
Helpful
10
Replies
Highlighted
Beginner

Using wildcard in URL filtering

hi,

 

How can i block all connections to *.microsoft.com (for example)?

Can i use custom URL object *.microsoft.com or firepower doesnt support wildcards?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advocate

I remember not long ago opened a cisco tac with similar issue. and TAC advise to use a WSA. according to them FMC/Firepower sensor do not support wild card in URL filtering.
please do not forget to rate.

View solution in original post

Highlighted

Sorry about that  - you are correct. I found a technote mentioning this as well:

 

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html#anc14

 

I tested on my FMC just now and found the same. However if I instead use microsoft.com instead of *.microsoft.com as my url object it works due to substring matching as described in the technote.

View solution in original post

10 REPLIES 10
Highlighted
Hall of Fame Guru

Firepower support wilcards in URL objects.

 

See the screenshot below taken from my FMC 6.2.2:

 

FMC URL object with wildcard.PNG

Highlighted

I can create an object but it doesn't work in access rules
Highlighted

Sorry about that  - you are correct. I found a technote mentioning this as well:

 

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html#anc14

 

I tested on my FMC just now and found the same. However if I instead use microsoft.com instead of *.microsoft.com as my url object it works due to substring matching as described in the technote.

View solution in original post

Highlighted

Yes I found this technote...

it works but it's not the same because for example oldmicrosoft.com will be blocked as well, but it's another domain
Highlighted

Quite true - that is a limitation of the current platform.

 

I will remember to bring this up with the Cisco engineers at next week's Security team event.

Highlighted

So, what was the resolution to this?

 

We have a URL blacklist, with, as an example, 777.com in it.

 

777.com blocks, but www.777.com does not.

Highlighted

So, it appears the substring matching works if I create an actual URL object, then block it.

 

Substring matching, however, does not work, when populating a blacklist/whitelist in the Security Intelligence URL Lists and Feeds.

Highlighted

This document might be helpful FTD URL Filtering - How it works?

Highlighted
VIP Advocate

I remember not long ago opened a cisco tac with similar issue. and TAC advise to use a WSA. according to them FMC/Firepower sensor do not support wild card in URL filtering.
please do not forget to rate.

View solution in original post

Highlighted
Beginner

what came of this.
IF Firepower can not process wildcard, why does the product allow them to be created. Surely its not that hard to detect a wildcard and not save it and put up a screen that advises so?

Content for Community-Ad