03-28-2019 04:13 AM
We started using Custom URL Categories, and it seems when we define a site, we have to add both a wild card to cover any subdomain, and a / to cover all URI/URL of the domain, IE:
*.acme.corp (To cover subdomains)
acme.corp/ (To cover all URLs/URIs to the domain)
My question is (I'm getting into this deployed late) is that my predecessor said that combining the two did not seem to work:
*.acme.corp/
Does this seem to be the case via people's experience?
Thanks!
Mike
03-28-2019 07:58 AM
You need both. You were correct in writing:
*.acme.corp (To cover subdomains)
acme.corp/ (To cover all URLs/URIs to the domain)
*.acme.corp = anything coming before (.) acme.corp and anything under that variation
*.acme.corp will not = anything acme.corp and anything after.
The asterisk is a wildcard.
03-28-2019 08:54 AM
Hi Mike
here's an article on wildcard guidelines: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/url-filtering/url-category-exception-lists
/ is used as a token separator to prevent your tld being part of a larger domain
eg. 'my.com'
could also hit
my.company.com
so you can add the / to 'end' the string
wildcards like * should not influence that (make sure to not use wildcards at the end of a string)
03-28-2019 07:58 AM
You need both. You were correct in writing:
*.acme.corp (To cover subdomains)
acme.corp/ (To cover all URLs/URIs to the domain)
*.acme.corp = anything coming before (.) acme.corp and anything under that variation
*.acme.corp will not = anything acme.corp and anything after.
The asterisk is a wildcard.
03-28-2019 08:54 AM
Hi Mike
here's an article on wildcard guidelines: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/url-filtering/url-category-exception-lists
/ is used as a token separator to prevent your tld being part of a larger domain
eg. 'my.com'
could also hit
my.company.com
so you can add the / to 'end' the string
wildcards like * should not influence that (make sure to not use wildcards at the end of a string)
03-29-2019 02:03 AM
Hi reaper.
I was a bit surprised about this information that my.com could hit my.company.com and figured I had to update lots and lots of entries in our custom categories but I'm unable to repeat this behaviour on PanOS 8.0.16. I actually created the fqdns my.com and my.company.com so they are resolvable and put only my.com in a custom URL category called "molndal-block".
When testing the fqdns with a browser (tried several) my.com triggers on the custom category but my.company.com does not?
Logs:
Im guessing this result might depend on if the browser adds a "/" the the end of the fqdn or not? (every browser I'v tried does this tho) or is there some flaw in my testing?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
