Skip to content

FQDN (Fully Qualified Domain Name) Filtering

An FQDN Filtering Profile evaluates the FQDN associated with traffic and applies an action to either allow or deny the traffic. In order to evaluate the FQDN, traffic must contain an FQDN in an HTTP request header or an SNI in a TLS hello header. The FQDN can be evaluated for traffic that is processed by either a Forwarding or Forward Proxy Rule. The set of FQDNs in the Profile can be specified as strings representing the full domain or as strings representing a Perl Compatible Regular Expression (PCRE). If only domain filtering is required, it is best to use an FQDN Filtering Profile. An FQDN Filtering Profile can also be used in conjunction with a URL Filtering Profile, where the domain is evaluated using the FQDN Filtering Profile and the URL is evaluated using the URL Filtering Profile.

Create the Profile

User-Defined

  1. Navigate to Manage -> Profiles -> FQDN Filtering
  2. Click Create
  3. Provide a Name and Description to the Profile
  4. Click Add to create a new row
  5. Enter individual FQDNs (e.g., www.twitter.com, .*.google.com)
    1. A PCRE (Perl Compatible Regular Expression) style regular expression is allowed
  6. Select Categories (e.g., Gambling, Sports, Social Networking)
  7. Select the Policy action for the row
    • Allow Log - Allow the requests and log an event
    • Allow No Log - Allow the requests and do not log an event
    • Deny Log - Deny the requests and log an event
    • Deny No Log - Deny the requests and do not log an event
  8. Optional: Specify Decryption Exception for any FQDNs where decryption is not desired or possible. Possible reasons for considering Decryption Exception include:
    1. Do not want to inspect encrypted traffic (financial services, defense, health care, etc.)
    2. SSO authentication traffic where decryption is not possible
    3. NTLM traffic that cannot be proxied
  9. Click Save when completed

Uncategorized

  1. The penultimate row in the FQDN Filtering Profile, which is represented by Uncategorized as the FQDNs/Categories
  2. Specify the Policy action to take for FQDNs that do not match the user-defined configuration and are not represented as a pre-defined Category

Default (ANY)

  1. The last row in the FQDN Filtering Profile, which is represented by ANY as the FQDNs/Categories
  2. Specify the Policy action to take for FQDNs that do not match the user-defined, Category or Uncategorized configuration

Associate the Profile

Check this document to create/edit Policy Rules