Skip to content

FQDN (Fully Qualified Domain Name) Filtering

An FQDN Filtering Profile evaluates the FQDN associated with traffic and applies an action to either allow or deny the traffic. In order to evaluate the FQDN, traffic must contain an FQDN in an HTTP request header or an SNI in a TLS hello header. The FQDN can be evaluated for traffic that is processed by either a Forwarding or Forward Proxy Rule. The set of FQDNs in the Profile can be specified as strings representing the full domain or as strings representing a Perl Compatible Regular Expression (PCRE). If only domain filtering is required, it is best to use an FQDN Filtering Profile. An FQDN Filtering Profile can also be used in conjunction with a URL Filtering Profile, where the domain is evaluated using the FQDN Filtering Profile and the URL is evaluated using the URL Filtering Profile.

The FQDN Filtering Profile can use a set of pre-defined Categories. To view more information on Categories, please see FQDN / URL Filtering Categories.

Tech Notes

The FQDN Filtering is organized as a table containing user-specified rows (FQDNs and Categories) along with two default rows (Uncategorized and ANY). Categories and FQDNs can be combined within each row if desired.

The limits for each FQDN Filtering Profile are as follows:

  • Maximum user-specified rows: 254 (Standalone or Group of Standalones)
  • Maximum Categories and FQDNs per row: 60
  • Maximum FQDN character length: 2048

Categories

Standalone vs. Group

A FQDN Profile can be specified as Type Standalone or Group. A Standalone Profile contains FQDNs and Categories. The Profile will be applied directly to a set of one or more Policy Ruleset Rules or associated with a FQDN Group Profile.

A FQDN Group Profile contains an ordered list of Standalone Profiles that can be defined for different purposes and combined together into a Group Profile. The Group Profile can be applied directly to a set of one or more Policy Ruleset Rules. Each team can create and manage specific Standalone Profiles. These Standalone Profiles can be combined together into a Group Profile to create hierarchies or different combinations based on use case. An example combination could be a global FQDN list that would apply to everything, a CSP-specific list that would apply to each different CSP, and an application-specific list that would apply to each different application.

Uncategorized

  1. The penultimate row in an FQDN Filtering Profile, which is represented as Uncategorized
  2. Specifies the Policy action to take for FQDNs that do not match the user-specified FQDNs or do not have a Category
  3. If a Standalone Profile is used in a Group Profile and the Group Profile is applied to a Policy Ruleset Rule, the Uncategorized row will be taken from the Group Profile. The Uncategorized row of a Standalone Profile is only applicable if the Standalone Profile is directly applied to a Policy Ruleset Rule.

Default (ANY)

  1. The final row in an FQDN Filtering Profile, which is represented as ANY
  2. Specifies the Policy action to take for FQDNs that do not match the user-specified FQDNs or Categories, or are not Uncategorized
  3. If a Standalone Profile is used in a Group Profile and the Group Profile is applied to a Policy Ruleset Rule, the ANY row will be taken from the Group Profile. The ANY row of a Standalone Profile is only applicable if the Standalone Profile is directly applied to a Policy Ruleset Rule.

Create the Profile

Standalone

  1. Navigate to Manage -> Profiles -> FQDN Filtering
  2. Click Create
  3. Provide a Profile Name and Description
  4. Specify the Type as Standalone
  5. Click Add to create a new row
  6. Specify individual FQDNs (e.g., www.twitter.com, .*.google.com)
    1. Each FQDN is specified as a PCRE (Perl Compatible Regular Expression)
    2. Consider escaping the . character else it will be treated as a single character wildcard
  7. Specify Categories (e.g., Gambling, Sports, Social Networking)
  8. Specify the Policy action for the user-specified FQDNs/Categories, Uncategorized and ANY rows
  9. Allow Log - Allow the requests and log an event
  10. Allow No Log - Allow the requests and do not log an event
  11. Deny Log - Deny the requests and log an event
  12. Deny No Log - Deny the requests and do not log an event
  13. (Optional) Specify Decryption Exception for any FQDNs where decryption is not desired or possible. Possible reasons for considering Decryption Exception include:
  14. Desire to not inspect encrypted traffic (financial services, defense, health care, etc.)
  15. SSO authentication traffic where decryption is not possible
  16. NTLM traffic that cannot be proxied
  17. Click Save when completed

Group

  1. Navigate to Manage -> Profiles -> FQDN Filtering
  2. Click Create
  3. Provide a Profile Name and Description
  4. Specify the Type as Group
  5. Select an initial Standalone Profile (at least one Standalone Profile is required)
  6. Specify additional Standalone Profiles
  7. Click Add FQDN Profile to create a new row
  8. Select a Standalone Profile
  9. Specify the Policy action for Uncategorized FQDNs
  10. Specify the Policy action for ANY FQDNs (default)
  11. Optional: Specify Decryption Exception for any FQDNs where decryption is not desired or possible. Possible reasons for considering Decryption Exception include:
    1. Desire to not inspect encrypted traffic (financial services, defense, health care, etc.)
    2. SSO authentication traffic where decryption is not possible
    3. NTLM traffic that cannot be proxied
  12. Click Save when completed

Associate the Profile

Check this document to create/edit Policy Rules