Showing results for 
Search instead for 
Did you mean: 

Wildcard domain matching on the FTD


I am trying to limit internet access for a server that needs access to several wildcard based domains and I can't figure out if that is possible on a Firepower FTD managed by FMC

As an example, one of the requirements is
*.compute-* - TCP 80, 443


My understanding is that wildcards won't work in an FQDN based access rule.

Is a workaround to have a url based rule to allow ?


I am confused if this will work as I have only seen URL matching for filtering (blocking) and the other piece of the puzzle is it takes 5 or so packets of a http request before the URL is even seen...


This post talks a bit about creating the wildcard for URL
Firepower does support wildcard, but not this format like (* rather it support ( format. You can create a URL object with value ( for blocking all domain, it will block for or any other sub domain after So use dot(.) instead of asterisk(*) it will work fine. I am testing it in production environment.



This article specifies that the wildcard won't work as an access rule



5 Replies 5

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

If you configure a url object (ex. and reference that in the rule, this will match any url that contains  This could be or even  So it is not a wildcard per se but will act much like a wild card.

Please remember to select a correct answer and rate helpful posts


I'm working on a similar issue with Office 365. Aldex-PR, did the below suggestion work for you? 

The way that I find works best is URL matching.

It is not quite a wildcard match but close.  It basically allows all the subdomains and directories

as example, of you create it as it will allow as **

How the match is made is when the URL is seen the first few packets.   So essentially the ACL will allow the handshake to start and will then kill the session if it cannot match the URL.



To do it

1 - Create URL objects 

as example   (don't put a * or . in front)


2 - Create a ACL

Make your destination network ANY (or geographically limit etc)

Dest Port HTTP/HTTPS etc

URLs - Enter your group of URLs


Note that this will not work for protocols that don't send a URL in the first few packets.  




FQDN matching - I don't think this will work for what you are doing. Basically how it works is it is creating a dynamic ACL by periodically querying the FQDN's that you tell it to.  So if you don't know every subdomain that it will use you are hooped.



As for O365, what you may need to do if the URL object doesn't get it to work is create a network group with the 10 or so large network ranges they have listed on their support sites (way more if you are doing IPv6).  from there create a ACL that matches an ip from that range and the port.




Good luck.










@perryj1 I have actually had more success in some scenarios setting up an FQDN network object.  Especially in scenarios where remote side IPs change frequently.  Setup a new network object (fqdn), and assign this object in your ACP as the destination.  As long as you have DNS setup properly this should work.  From FTD command line you can issue > show fqdn to verify resolution.  


Thanks for the advice. While I believe the URL method should work, the potential for the many URL's that MS uses to change has led us to try and automate updating the object group in FMC that we will use in our ACP.    

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers