Fully Qualified Domain Name Filter Profile

A Fully Qualified Domain Name (FQDN) filter profile evaluates the FQDN associated with traffic and applies an action to either allow or deny the traffic. In order to evaluate the FQDN, traffic must be TLS encrypted and contain an FQDN in the SNI field of a TLS hello header. The FQDN can be evaluated for traffic that is processed by either a Forwarding or Forward Proxy rule. The set of FQDNs in the profile can be specified as strings representing the full domain or as strings represented by a Perl Compatible Regular Expression (PCRE). If only domain allowlisting is required, it is best to use an FQDN filtering profile. An FQDN filtering profile can also be used in conjunction with a URL filtering profile, where the domain is evaluated using the FQDN filtering profile and the URL is evaluated using the URL filtering profile.

Use FQDN filtering to filter categories that you want to allow or deny based on criteria, after a rule match. You can set filters at a granular level. The FQDN filter rows contain log-related actions such as deny or allow that you can use.

The FQDN filtering profile can also use a set of pre-defined categories. To view more information on categories, see FQDN / URL Filtering Categories.

Note

The FQDN filtering profile is organized as a table containing user-specified rows (FQDNs and categories) along with two default rows (Uncategorized and ANY). Categories and FQDNs can be combined within each row if desired.

The limits for each FQDN filter profile are as follows:

  • Maximum user-specified rows: 254 (standalone or group of standalones)

  • Maximum categories and FQDNs per row: 60

  • Maximum FQDN character length: 255

When specifying a multi-level domain (e.g., 'www.example.com'), it's important to escape the `.` character (e.g.,`www\.example\.com`) otherwise it will be treated as a wildcard for any single character.

Standalone vs. Group

A FQDN filter profile can be specified as standalone or group.

A standalone FQDN filter profile contains FQDNs and categories. The profile will be applied directly to a set of one or more policy rulesets or associated with a FQDN group profile.

A FQDN filter group profile contains an ordered list of standalone profiles that can be defined for different purposes and combined together into a group profile. The group profile can be applied directly to a set of one or more policy rulesets. Each team can create and manage specific standalone profiles. These standalone profiles can be combined together into a group profile to create hierarchies or different combinations based on the use case. An example combination could be a global FQDN list that would apply to everything, a CSP-specific list that would apply to each different CSP, and an application-specific list that would apply to each different application.

Uncategorized

  • The second-to-last row in an FQDN filter profile which is represented as Uncategorized.

  • Specifies the policy action to take for FQDNs that do not match the user-specified FQDNs or do not have a category.

  • If a standalone profile is used in a group profile and the group profile is applied to a policy ruleset, the Uncategorized row will be taken from the group profile. The Uncategorized row of a standalone profile is only applicable if the standalone profile is directly applied to a policy ruleset.

Default (ANY)

  • The final row in an FQDN filter profile, which is represented as ANY.

  • Specifies the policy action to take for FQDNs that do not match the user-specified FQDNs or categories, or are not Uncategorized.

  • If a standalone profile is used in a group profile and the group profile is applied to a policy ruleset, the ANY row will be taken from the group profile. The ANY row of a standalone profile is only applicable if the standalone profile is directly applied to a policy ruleset.