cancel
Showing results for 
Search instead for 
Did you mean: 

MWG 7 - Best way to allow / block sites based on full url

Stupid question I know, but I seem to be forgetting how to allow or block parts of sites.  For example, there may be a URL such as www.test.com/stuff/thegoodstuff.

The default Whitelist rules use the URL.Host matches in list.  While the list seems to support wildcard expressions (heck the column is even called "Wildcard Expression") in reality it only takes top level fqdn entries with wildcards.  If you wish to allow / block at a lower level in the URL it fails.

So is there a property we can use to inspect a URL with subsites and filter deeper in that URL rather than just the top level?

2 Replies
Highlighted

Re: MWG 7 - Best way to allow / block sites based on full url

For my whitelists, black lists, and almost every other list that relates to a URL, i break it up into 2 types. Hosts only and full URLs.

Name: Global Whitelist: Domains or Global Whitelist: URLs

Rule Criteria:
URL.Host.BelongsToDomains (Global Whitelist: Domains) equals true OR
URL matches in list Global Whitelist: URLs

Action:
Stop Cycle

The string list of Global Whitelist: Domains are just domain or host names:

1adobe.com
2apache.org
3blackberry.com
4broker.gotoassist.com
5cdc.gov
6cisco.com


The Wildcard list of Global Whitelist: URLs are where i put full wildcards:

3http://www.google.com/uds/api/visualization/1.0/*
4http://www.google.com/uds/modules/gviz/1.0/*
5http://ajax.googleapis.com/ajax/static/modules/gviz/1.0/*

Re: MWG 7 - Best way to allow / block sites based on full url

For those who haven't covered it, it's important to note the difference between "Stop Cycle" and "Stop Rule Set".  So, we use "Stop Cycle" for our global white list, and that's upstream of authentication, anti-malware scanning, and DLP.  So, we are cautious to limit what goes in the global white list.

We use a completely different set of lists for those things that should not be blocked but do need the scanning and authentication.


On a separate note.  There is a performance consideration.  Wildcard matches that start with a wild card, e.g. *.google.com, may search an entire string before giving up (unless there's some weird, behind-the-scenes optimization).  So if you need matches of that type, matching against URL.Host or URL.Domain can provide some performance improvement and even eliminate some of those patterns that start with a wild card.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community