URL Filtering Wildcards?

networkadmin · ‎10-18-2010

I have a custom URL category which contained

*.sourceforge.net with an action of "allow" (the normal action for category shareware/freeware is "alert".

When I visited "http://sourceforge.net" it logged an alert.

I had to change the custom category to contain:

*.sourceforge.net
sourceforge.net

For the allow to take effect.

I was a little surprised as I expected the wildcard to include the primary domain?

James · ‎10-18-2010

Hi There,

Wild cards work within delimeters/separators which are the following:

. (dot)

/ (slash)

? (question mark)

& (ampersand)

= (equal)

; (semi colon)

+ (plus)

So in your example the *.sourceforge.net would need the . (dot) to be there for a match, which it was not.

For some web sites with subdomains, you may need the following:

website.net

*.website.net

*.*.website.net

I hope this helps makes things clearer

Thanks

James

View solution in original post

James · ‎10-18-2010

Hi There,

Wild cards work within delimeters/separators which are the following:

. (dot)

/ (slash)

? (question mark)

& (ampersand)

= (equal)

; (semi colon)

+ (plus)

So in your example the *.sourceforge.net would need the . (dot) to be there for a match, which it was not.

For some web sites with subdomains, you may need the following:

website.net

*.website.net

*.*.website.net

I hope this helps makes things clearer

Thanks

James

networkadmin · ‎10-18-2010

Thanks James, I didn't appreciate the "." was a hard delimiter and had to be present.

James · ‎10-18-2010

No worries - good luck

networkadmin · ‎10-31-2010

So there's something I'd like to do but I'm unsure how.

Right now I have our Exchange server behind the PAN and policies that do SSL decryption as well as URL filtering to only allow:

site.domain.com/oma

site.domain.com/oma/*

site.domain.com/exchange

site.domain.com/exchange/*

site.domain.com/exchweb/*

site.domain.com/favicon.ico

site.domain.com/microsoft-server-activesync

site.domain.com/microsoft-servdeviceid=*

site.domain.com/microsoft-server-acdeviceid=*

site.domain.com/microsoft-server-actdeviceid=*

site.domain.com/microsoft-server-actideviceid=*

site.domain.com/microsoft-server-activdeviceid=*

site.domain.com/microsoft-server-activedeviceid=*

site.domain.com/microsoft-server-activesdeviceid=*

site.domain.com/microsoft-server-activesync?*

site.domain.com/microsoft-server-adeviceid=*

site.domain.com/microsoft-server-deviceid=*

site.domain.com/microsoft-serverdeviceid=*

site.domain.com/public/*

site.domain.com/rpc/*

Which are the URL's that OWA uses (all the ones in the middle are due to how the PAN seems to interpret certain URL's).

I'm looking at an external host monitoring service which would need to check if "site.domain.com" is up, but right now if it tries to connect it reports "Malformed response" as the PAN is blocking/not responding to the request to https://site.domain.com as expected.

If I add "site.domain.com" to the top of my URL allow list above, I'm basically accepting any/all requests which is precisely what I don't want to do.

So how can I allow requests explicitly to "site.domain.com" but only to "site.domain.com" as well as the paths in the list above i.e. a request to "site.domain.com/somethingrandom" would still be denied?

rnitz · ‎11-08-2010

No, there really is no way to do what you are trying. By adding site.domain.com/ to the allow list, it will allow all queries for items to the right of "/".

The only workaround is to create a new security policy for the source IP addresses that the monitoring site uses and either allow all http traffic for that site or create a new URL filtering profile for this new security policy.

networkadmin · ‎11-08-2010

Thanks, I had a feeling from experimenting that might be the case, but at least that confirms it.

Unlock your full community experience!

URL Filtering Wildcards?

URL Filtering Wildcards?

Show your appreciation!