FQDN / URL Filtering Categories

Multicloud Defense also uses threat intelligence from Cisco Talos Intelligence to categorize web sites based on their risk score. This includes fully qualified domain names (FQDNs), sometimes referred to as domain names, and URLs. This provides sites across 84 categories when traffic from your public cloud environment makes outbound connections (egress) to these sites:

  • FQDNs (domains) - 1+ billion categorized FQDNs (domains)

  • URLs - 45+ billion categorized URLs

To improve efficiency in recognizing and processing traffic, The gateway will pre-load a cache of the top 1 million FQDNs/URLs and their categories. The gateway will also utilize a runtime cache of 10k FQDNs/URLs and their Categories that are not part of the top 1 million. If traffic contains any of the cached FQDNs/URLs, then the categories will be known immediately. If the FQDN/URL is not found in the cache, the gateway will query the Multicloud Defense Controller to resolve the category via Talos. This operation is expected to complete in no more than 200ms. If it completes within the expected time, then the traffic will be processed based on the learned category and the profile will operate on the traffic based on the policy defined for the category. If the operation does not complete within the expected time, then the traffic will be processed as Uncategorized and the profile will operate on the traffic based on the policy defined for Uncategorized. Once the resolution returns, the learned category will be added to the cache for subsequent resolutions, even if the resolution occurs for the available the expected time and the traffic has already been processed. If the run-time cache is exhausted, the gateway will purge the oldest accessed FQDNs/URLs and their categories in batches of 10 entries to ensure space is available for more recently accessed FQDNs/URLs and their categories.

Note

FQDN filtering with categories happens for:

  1. SNI in TLS client hello

  2. DNS queries for FQDN lookups

  3. HTTP hostname header (for cleartext HTTP traffic)