Skip to content

FQDN (Fully Qualified Domain Name) Filter Profile

An FQDN Filter Profile evaluates the FQDN associated with traffic and applies an action to either allow or deny the traffic. In order to evaluate the FQDN, traffic must TLS encrypted and contain an FQDN in an SNI in a TLS hello header. The FQDN can be evaluated for traffic that is processed by either a Forwarding or Forward Proxy Rule. The set of FQDNs in the Profile can be specified as strings representing the full domain or as strings represented by a Perl Compatible Regular Expression (PCRE). If only domain filtering is required, it is best to use an FQDN Filtering Profile. An FQDN Filtering Profile can also be used in conjunction with a URL Filtering Profile, where the domain is evaluated using the FQDN Filtering Profile and the URL is evaluated using the URL Filtering Profile.

The FQDN Filtering Profile can use a set of pre-defined Categories. To view more information on Categories, please see FQDN / URL Filtering Categories.

Tech Notes

The FQDN Filter Profile is organized as a table containing user-specified rows (FQDNs and Categories) along with two default rows (Uncategorized and ANY). Categories and FQDNs can be combined within each row if desired.

The limits for each FQDN Filter Profile are as follows:

  • Maximum user-specified rows: 254 (Standalone or Group of Standalones)
  • Maximum Categories and FQDNs per row: 60
  • Maximum FQDN character length: 255

When specifying a multi-level domain (e.g., www.example.com), it's important to escape the . character (e.g.,www\.example\.com) otherwise it will be treated as a wildcard for any single character.

Standalone vs. Group

A FQDN Filter Profile can be specified as Type Standalone or Group.

A FQDN Filter Standalone Profile contains FQDNs and Categories. The Profile will be applied directly to a set of one or more Policy Ruleset Rules or associated with a FQDN Group Profile.

A FQDN Filter Group Profile contains an ordered list of Standalone Profiles that can be defined for different purposes and combined together into a Group Profile. The Group Profile can be applied directly to a set of one or more Policy Ruleset Rules. Each team can create and manage specific Standalone Profiles. These Standalone Profiles can be combined together into a Group Profile to create hierarchies or different combinations based on use case. An example combination could be a global FQDN list that would apply to everything, a CSP-specific list that would apply to each different CSP, and an application-specific list that would apply to each different application.

No FQDN in Packet

The FQDN Filtering Profile obtains the FQDN from the SNI of a TLS Hello message for traffic that is TLS encrypted, or from the HTTP Host header for HTTP traffic that is not encrypted. If the SNI or Host header doesn't exist or the FQDN is not a valid FQDN (e.g., an IP address rather than a domain), then the match references specified in the FQDNs/Categories rows and their action will not apply. The action to take will be determined by the "No FQDN in packet" setting.

Uncategorized

  1. The penultimate row in an FQDN Filter Profile, which is represented as Uncategorized
  2. Specifies the Policy action to take for FQDNs that do not match the user-specified FQDNs or do not have a Category
  3. If a Standalone Profile is used in a Group Profile and the Group Profile is applied to a Policy Ruleset Rule, the Uncategorized row will be taken from the Group Profile. The Uncategorized row of a Standalone Profile is only applicable if the Standalone Profile is directly applied to a Policy Ruleset Rule.

Default (ANY)

  1. The final row in an FQDN Filter Profile, which is represented as ANY
  2. Specifies the Policy action to take for FQDNs that do not match the user-specified FQDNs or Categories, or are not Uncategorized
  3. If a Standalone Profile is used in a Group Profile and the Group Profile is applied to a Policy Ruleset Rule, the ANY row will be taken from the Group Profile. The ANY row of a Standalone Profile is only applicable if the Standalone Profile is directly applied to a Policy Ruleset Rule.

Create the Profile

Standalone

  1. Navigate to Manage -> Profiles -> FQDN Filtering
  2. Click Create
  3. Provide a Profile Name and Description
  4. Specify the Type as Standalone
  5. Specify an Action for No FQDN in packet
  6. Click Add to create a new row
  7. Specify individual FQDNs (e.g., www.twitter.com, .*.google.com)
    1. Each FQDN is specified as a PCRE (Perl Compatible Regular Expression)
    2. Consider escaping the . character else it will be treated as a single character wildcard
  8. Specify Categories (e.g., Gambling, Sports, Social Networking)
  9. Specify the Policy action for the user-specified FQDNs/Categories, Uncategorized and ANY rows
  10. Allow Log - Allow the requests and log an event
  11. Allow No Log - Allow the requests and do not log an event
  12. Deny Log - Deny the requests and log an event
  13. Deny No Log - Deny the requests and do not log an event
  14. (Optional) Specify Decryption Exception for any FQDNs where decryption is not desired or possible. Possible reasons for considering Decryption Exception include:
  15. Desire to not inspect encrypted traffic (financial services, defense, health care, etc.)
  16. SSO authentication traffic where decryption is not possible
  17. NTLM traffic that cannot be proxied
  18. Click Save when completed

Group

  1. Navigate to Manage -> Profiles -> FQDN Filtering
  2. Click Create
  3. Provide a Profile Name and Description
  4. Specify the Type as Group
  5. Specify an Action for No FQDN in packet
  6. Select an initial Standalone Profile (at least one Standalone Profile is required)
  7. Specify additional Standalone Profiles
  8. Click Add FQDN Profile to create a new row
  9. Select a Standalone Profile
  10. Specify the Policy action for Uncategorized FQDNs
  11. Specify the Policy action for ANY FQDNs (default)
  12. Optional: Specify Decryption Exception for Uncategorized or ANY if decryption is not desired or possible. Possible reasons for considering Decryption Exception include:
    1. Desire to not inspect encrypted traffic (financial services, defense, health care, etc.)
    2. SSO authentication traffic where decryption is not possible
    3. NTLM traffic that cannot be proxied
  13. Click Save when completed

Associate the Profile

Check this document to create/edit Policy Rules