FQDN Match Object

A Fully Qualified Domain Name (FQDN) Match Object evaluates the Server Name Indication (SNI) associated with TLS-encrypted traffic or the Host header for unencrypted HTTP traffic. It uses the results of the evaluation for rule matching. If the traffic matches all match objects (Address, FQDN, Service) associated with a rule, then the rule is used to process the traffic. To evaluate the FQDN, traffic must be TLS encrypted and contain an SNI in an unencrypted TLS Hello header or be unencrypted HTTP and contain a Host header. The FQDN can be evaluated for traffic that is processed by either a Forwarding or Forward Proxy rule. The set of FQDNs in the profile is specified as strings representing the full domain or as strings represented by a Perl Compatible Regular Expression (PCRE).

Note

The FQDN match object is organized as a table containing user-specified rows (FQDNs). The rows do not contain log-related actions to perform. This is because FQDN match object is a first-level matching criteria. When you have a clear list of FDQNs that you want to allow, you can use FQDN match objects. After a rule match, if you have categories that you want to allow based on criteria, use FQDN filtering. For more information, see Fully Qualified Domain Name Filter Profile. The limits for each FQDN match object are as follows: Maximum user-specified rows: 254 (Standalone or Group of Standalones) Maximum FQDNs per row: 60 Maximum FQDN character length: 255 When specifying a multilevel domain (for example, www.example.com), it's important to escape the . character (for example,www\.example\.com), otherwise it treats it as a wildcard for any single character.

Syntax

When defining an FQDN inside an FQDN match object, use PCRE formatting. The commonly used special characters are:

• Period (.) to match any character except for line terminators (\n).

• Asterisk (*) to match the previous pattern between zero and unlimited number of times, as many times as possible.

• Backward slash (\) to escape a special character. To specify a period character in an FQDN, please use \. Because the period alone is a special character. For example, in PCRE format, www.google.com would be written as www\.google\.com

• Question mark (?) to match the previous pattern between zero and one times, as many times as possible. This character is useful when you would like to make a specific pattern in an expression, optional.

• {1} to match the previous pattern one time exactly.

When using PCRE, it is important to test that the expression matches the desired FQDN strictly and does not match any undesired domains. The resources listed below can be used to gain a further understanding of PCRE syntax as well as test expressions to make sure they match the desired FQDN:

• PCRE Regex Cheatsheet

• PCRE Regex Testing Engine

For example, if we have a requirement to match on any subdomain of google.com as well as the domain itself, we can create an FQDN match object which includes the following FQDN definition (.*\.)?google\.com. When you read this from left to right, the expression says match any character any number of times (.*), followed by a period (\.) and make matching on this pattern optional (?). Then find google.com exactly (google\.com).

Here are the guidelines for defining FQDN match objccts:

• For all HTTPS and Websocket traffic, create a set of rules that use FQDN match objects. Each rule name will help distinguish how traffic is classified and processed by the gateway.

• Create separate rows in your FQDN match for domains that are being decrypted and domains that are not being decrypted (Decryption exception).

• Consider creating separate rules that use different FQDN match objects to decrypt and not decrypt.

• Ensure the PCRE domain expressions match desired domains and not undesired domains.