thanks for the hint! I think I´ll try this one then, even I´m wondering I didn't stumble over this in more than 20 years Cisco meanwhile.
But before I still want to try to get the FQDN-feature (with the object-group) somehow to work, didn´t have luck yet...fiddled around in my lab yesterday with CSR1000V don´t get what's wrong here

Try If you face issue let me know 

thanks 

MHM

OK, since you asked for it , I will show you my (IMO) absolutely dumbed down constellation for testing in the lab...including the topology and the configuration of my virtual CSR.
As you can see, I set up 4 Dockers which represent 4 web servers:

microsoft.de
teams.microsoft.com
o365.microsoft.com
dieanderen.de

On these docker containers I have Apache2 running.

As well I put another PC (upper left) directly in "the internet", to check if the webservers are available, avoiding some virtalization issues by doublechecking on this one.
The "internet" is simply a virtual 3725 with a NM16-ESW, routes, and so on. Also there is a loopback with 8.8.8.8 on it, acting as my name server, which works perfectly fine. Typical playground setup, as I would call it.

What I wanted to achieve with my config:
I can access microsoft.de, teams.microsoft.com, o365.microsoft.com, while dieanderen.de should be blocked.
Nope, I can still access all of the web servers from the virtual Win10 with 192.168.1.10, the DNS comes btw from the 192.168.1.100 next to it. When I don´t configure the zone-pairs, but the zones, traffic doesn´t go through, as expected.
When I don´t have the zones on gi1 and gi2, everything traverses the router, also as expected.

But as soon as I put the zones on the interfaces AND the zone-pairs in the configuration, I can access still everything, and not excluded the domain dieanderen.de...which makes me scratch my head.



And here the config of "TEST-ZBFW":

version 17.3
!
hostname TEST-ZBFW
!
no aaa new-model
!
ip name-server 8.8.8.8
ip domain name mumumumu.net
!
parameter-map type inspect FW-INSPECT-LOG
audit-trail on
multilink bundle-name authenticated
!
object-group fqdn OGN-MICROSOFT-FQDNS
pattern .*\.microsoft\.com
pattern microsoft\.de
!
object-group service OGS-MICROSOFT
icmp
tcp eq www
!
class-map type inspect match-all FW-CLM-MICROSOFT
match access-group name MATCH-MICROSOFT
! 
class-map type inspect match-any FW-CLM-LAN
match protocol icmp
match access-group name MATCH-MICROSOFT
match access-group name MATCH-LAN-ALLOWED
!
policy-map type inspect FW-PLM-LAN-INTERNET
class type inspect FW-CLM-MICROSOFT
inspect FW-INSPECT-LOG
class type inspect FW-CLM-LAN
inspect FW-INSPECT-LOG
class class-default
drop log
!
zone security FW-ZONE-LAN
zone security FW-ZONE-INTERNET
zone-pair security FW-ZP-LAN-WAN source FW-ZONE-LAN destination FW-ZONE-INTERNET
service-policy type inspect FW-PLM-LAN-INTERNET
!
interface GigabitEthernet1
ip address 99.99.99.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip access-group LAN-IN in
negotiation auto
no mop enabled
no mop sysid
!
ip nat inside source list NAT interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 99.99.99.1
!
ip access-list extended MATCH-LAN-IN
10 permit ip host 192.168.1.100 any
! 
ip access-list extended MATCH-MICROSOFT
10 permit object-group OGS-MICROSOFT any fqdn-group OGN-MICROSOFT-FQDNS
! 
ip access-list extended NAT
10 permit ip 192.168.1.0 0.0.0.255 any

 Maybe you (or anyone else?) have an idea where I got sth wrong here.
Wouldn´t make me wonder, since I also never used the feature "object-group fqdn" before, discovered it just last week.
See here:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/221876-configure-zbfw-using-fqdn-acl-pattern-ma.html
As my possible savior...but not so much, by now

Kind regards,

Andreas

from theory it can work IF the router can resolve the FQDN to IP 
here you config dns server and I think ip domain-lookup is by default add (make sure by add this command again)
last step is from router 
ping to one of FQDN and see if router can resolve it or not ?

MHM 

Yeah, this all works fine. Double-checked it over and over again.
And yes, I see, I scrubbed it out when I pasted the config here. I´ll edit it, misleading.

But, as I said, the name resolution definitely works, because the main problem I have is...the PC on the left side can still access all the web servers, including dieanderen.de , in his browser.

Makes me sort of nuts

Doublechecked...it´s on by default, you were right:

TEST-ZBFW#ping microsoft.de 
Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos to 80.0.0.2, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/56/161 ms 
TEST-ZBFW# 
TEST-ZBFW#sh ru | i ip_domain 
ip domain name mumumumu.net 
TEST-ZBFW#  

Hello
why class-map  FW-CLM-LAN when FW-CLM-MICROSOFT  this is basically performing the same action, also if you want access microsoft\.de blocked just dont include it in the object OGN-MICROSOFT-FQDNS it then should get pushed into the class class-default and dropped.

could you try the following:

object-group fqdn OGN-MICROSOFT-FQDNS
pattern .*\.microsoft\.com

no policy-map type inspect FW-PLM-LAN-INTERNET
policy-map type inspect FW-PLM-LAN-INTERNET
class type inspect FW-CLM-MICROSOFT
inspect
class class-default
drop log

Can you post the output of:

show zone security
show policy-map inspect zone-pair sessions

Hi Paul,

no, you got me wrong here:

What I want to achieve is enabling the Microsoft-doamins, while blocking out the domain dieanderen.de

And this is what confuses me, because as I understand the object-definition/policy-maps, everything which is NOT defined by me (which dieanderen.de is obviously NOT, unlike microsoft.de and *.microsoft.com) should fall in class-default and therefore, according to my instruction, be blocked. Which doesn´t happen...

Hello
LOL apologies - 
See attached..

no worries...I am constantly editing my posts here too, the problem of only being halfbrained while the other part is saving the world somewhere else at the moment. let me try later, hopefully I will have not a too long Friday...it´s always on Fridays, no?

Hi, i am at it finally again. And by now i can definitely say...nope, not working. At least not in the production routers.

"

Restrictions for Web Filtering

Hi friend I forget you

Sorry I was busy 

Dont worry I will check in my lab using fqdn and update you

Thanks for waiting 

MHM

no worries...fully busy with other topics, just fot back to that yesterday evening...and the whole day

Hi Alisha,

Exactly, it´s what I want to achieve.

And it's what I did:
1. resolution of the FQDNs work fine
2. you see the running config of my testbox, seems he understood what I wanted
3. yes, I thought so too

...just somehow...no success...