09-23-2021 12:11 PM
On my IronPort WSA, I would like to block, via regex, any possible TLD for a given domain (apparently around 1400).
A recent sample reason / example why: autodisover.*** (ref: https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-autodiscover-bugs-leak-100k-windows-credentials/ )
Two questions here:
1) I would imagine that the following would be the regex expression for it, but I haven't found any articles on this, and want to double check. Is this how?: autodiscover\..*/
Yes?
2) In addition, I would also like to block any possible subdomains. It would appear from Cisco's regex man page that wildcard beginnings are not possible. Am I correct in this understanding?
If #2 is true, then #1 is defeatable and futile, and I should just enter everything twice (once for the parent domain [domain.***], and one for the subdomain[ .domain.***] ) into the "sites" field, not the 'Regular Expressions" field, yes?
09-23-2021 06:22 PM
10-19-2021 04:09 AM
Hello @Naterade
if possible avoid any regex as they slow down WSA and can produce unexpected results (false positives and false negatives).
If you want to block any subdomain of a particular web site just use .example.com pattern (note a dot in front of example.com) in a block list.
For example you need to access www.example.com but block any other subdomain of example.com, then create a custom url category that processed before a block custom url category and put ".example.com" in the block list and "www.example.com" in the allow list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide