FQDN (Fully Qualified Domain Name) Filtering¶
An FQDN Filtering Profile evaluates the FQDN associated with traffic and applies an action to either allow or deny the traffic. In order to evaluate the FQDN, traffic must contain an FQDN in an HTTP request header or an SNI in a TLS hello header. The FQDN can be evaluated for traffic that is processed by either a Forwarding or Forward Proxy Rule. The set of FQDNs in the Profile can be specified as strings representing the full domain or as strings representing a Perl Compatible Regular Expression (PCRE). If only domain filtering is required, it is best to use an FQDN Filtering Profile. An FQDN Filtering Profile can also be used in conjunction with a URL Filtering Profile, where the domain is evaluated using the FQDN Filtering Profile and the URL is evaluated using the URL Filtering Profile.
The FQDN Filtering is organized as a table containing user-specified rows (FQDNs and Categories) along with two default rows (Uncategorized and ANY). Categories and FQDNs can be combined within each row if desired.
The maximum number of rows is 32, including the default rows. Which means the maximum number of user-specified rows is 30.
The maximum number of entries per row is limited to 128 Categories and 60 user-specified FQDNs. If you require more than 60 user-specified FQDNs, then you will need to split the specified FQDNs across multiple rows.
Create the Profile¶
- Navigate to Manage -> Profiles -> FQDN Filtering
- Click Create
- Provide a Name and Description to the Profile
- Click Add to create a new row
- Enter individual FQDNs (e.g., www.twitter.com, .*.google.com)
- A PCRE (Perl Compatible Regular Expression) style regular expression is allowed
- Select Categories (e.g., Gambling, Sports, Social Networking)
- Select the Policy action for the row
- Allow Log - Allow the requests and log an event
- Allow No Log - Allow the requests and do not log an event
- Deny Log - Deny the requests and log an event
- Deny No Log - Deny the requests and do not log an event
- Optional: Specify Decryption Exception for any FQDNs where decryption is not desired or possible. Possible reasons for considering Decryption Exception include:
- Do not want to inspect encrypted traffic (financial services, defense, health care, etc.)
- SSO authentication traffic where decryption is not possible
- NTLM traffic that cannot be proxied
- Click Save when completed
- The penultimate row in the FQDN Filtering Profile, which is represented by Uncategorized as the FQDNs/Categories
- Specify the Policy action to take for FQDNs that do not match the user-defined configuration and are not represented as a pre-defined Category
- The last row in the FQDN Filtering Profile, which is represented by ANY as the FQDNs/Categories
- Specify the Policy action to take for FQDNs that do not match the user-defined, Category or Uncategorized configuration
Associate the Profile¶
Check this document to create/edit Policy Rules