This article is based on the discussion "Cannot block theoxymoron.xyz," by @Brandon54 and answered by @Adrian_Jensen and @OtakarKlier. Read on to see the discussion and solution!
Hello, I have been trying to block the site theoxymoron.xyz but can not get it to block. I have tried URL filtering with many different versions of the UR, as well as blocking the IP addresses for the site, neither of which worked for me. We do not use decryption. Any help would be appreciated.
Actually, there are many ways to do this. If you are using a Security Policy with a URL Filter policy attached, you can do something like this:
First you should have an existing Security Policy for your general internet bound traffic. You may want to use the "Test Policy Match" tool at the bottom of the Security Policy page to verify whether or not traffic is actually using the intended policy.
The URL Filter must also be something other than "default" as you can not change the default filter categories.
Policies->Security
name=Internet Access
SrcZone=Trust
SrcAddr=CorpInternalIPs
DstZone=Untrust
DstAddr=any
Application=any
Service=any
Action=Allow
Profile Settings->URL Filtering=CorpURLFilter
Then create a custom URL Category for all domains you want to block (regardless of their other automatic categorization). The entries should only be the FQDN and possibly a URL path (path will only work if you are doing SSL decryption).
NOTE: Without encryption it can be a bit trickier as you only have the SNI to work off of.
The entries should be terminated with a slash or other delimiter to ensure variable expansion doesn't match to unintended paths (see examples of using wildcards in URL filtering profiles).
Be sure to add both the root and wildcard server names as the wildcard will not capture the root by itself.
Don't put http/https specific resource indicators:
Objects->Custom Objects->URL Category
name=Corp-Block
sites=
theoxymoron.xyz/
*.theoxymoron.xyz/
Now in your URL Filtering policy you should see your custom URL Category. Set the Site Access to "block":
Objects->Security Profiles->URL Filtering
name=CorpURLFilter
Category=
ᐁ Custom URL Categories:
Corp-Block=block,block
...
ᐁ Predefined Categories
... whatever your corporate URL categories filtering policies are...
Your Custom URL Category will override the Predefined Categories settings for anything matching your CorpBlock.
Alternatively, you can block based solely on IP address.
This can be a bit more troublesome as, depending on the hosting, the website may be hosted on more IPs than the PA can track, using fast-flux DNS, may use many FQDN names, or using multiple redirects. This only works when you know the specific FQDN. Unfortunately there isn't a way to wildcard address objects. Start by creating some address objects to block:
Objects->Addresses
name=theoxymoron-xyz
type->FQDN=theoxymoron.xyz
name=www-theoxymoron-xyz
type->FQDN=www.theoxmoron.xyz
Now create a new internet-bound rule for the specific destination IPs you want to block. You don't need a URL filtering policy or other attributes on this as you will just be blocking:
Policies->Security
name=Internet-BlockDestinations
SrcZone=Trust
SrcAddr=CorpInternalIPs
DstZone=Untrust
DstAddr=theoxymoron-xzy,www-theoxymoron-xyz
Application=any
Service=any
Action=Block
Depending on how you have your firewall setup, and your security posture, you may want to use one or another path. I use both of the above methods (and other methods) for various categories of blocking, FQDN/domain based URL Filter based on URL-root names for general websites, Security Policy general blacklists for various other IPs and networks that should never have any traffic http/https or otherwise.
Because it's original categorization is 'Proxy Avoidance and Anonymizers', you can even simply just block this category.
