What's the simplest way to block a Top-Level-Domain (*.ru/* for example )in web protection?

I know this works in UTM hoping XG

https?://[A-Za-z0-9.-]*\.ru/

or

http?://[A-Za-z0-9.-]*\.ru/

You can also use country blocking, you may be aware but figure I would mention it.

Badrobot said:

 https?://[A-Za-z0-9.-]*\.ru/

http?://[A-Za-z0-9.-]*\.ru/

If working with this REGEX Snippets, then the pattern for an URL with Path behind should be added as well (for Example mydomain.ru/mypage/index.php wouldnt be affected by this REGEX Snippets above). Afterwards this Regex Snippet can be used to create an URL Group that afterwards can be used in Webfilter Policy.

By the way... Why do you want to block all *.ru pages? not all of those are bad... I don't se a usecase for something like this :-S

As examples, regardless of geography, I don't know where a ".online" or ".loan" domain might be physically hosted but I know my users don't have any business going there.

krebsonsecurity.com/.../

Is there a KB article better describing what the categories contain such as "Criminal Activities"? That's a bit open to interpretation. I'd put all Wall Street banks in there, for example.

There are a hundred categories.  Managing a rule for each separately is complex.  Therefore the categories are grouped together, along with filetypes into "User Activities".

You can go into Web \ User Activities to see the categories in each.

You can go into Web \ Categories and click into a category to get a description.  I think there must be a list somewhere in help or a KB of all the descriptions.  But there is another place to get them.  This site, used for some internal testing, contains a list of categories and descriptions.  Please note that this site has different lists for different products, the list of categories for CWG and XG are the same.

http://www.sophostest.com/cwg/

This definition of "Criminal Activities" doesn't seem to like-up with the advice of using this category for malware domains, etc:

Criminal Activity

Includes sites for advocating, instructing, or giving advice on performing illegal acts; tips on evading law enforcement; and lock-picking and burglary techniques.

The User Activity called Criminal Activity contains 7 categories.

One of the categories is also called Criminal Activity.  The description may not be ideal - I know that child porn and other illegal to browse to things are categorized as Criminal Activity.

The other most important category is Spyware and Malware.  This is where a lot of the bad computer security stuff is.

Blocking the entire User Activity is what I recommend.

I will not comment on the decision of naming a User Activity the same as a Category.  :)

Understood. Going to add it. Thanks for your input on the forums!

Ugh!  Just went and looked at some of the backend and mapping.  Again, I will not comment on decisions for naming and inclusion.  :)

Consider blocking User Activity Suspicious.  This is a mix of bad stuff (spam) and not bad stuff (advertising).  Maybe look at the categories inside and make a decision.

I would also personally block these:

Command and Control (if you are using Advanced Threat Protection then this is already blocked.  If you are not then this category takes effect.)

Spam URLs (also part of the User Activity Suspicious)

Hacking

I agree, I have seen many sites that should have a domain from a specific country or IP Block from that country that are actually hosted on a cloud platform in a different country.

I suspect GEOIP blocking makes more sense in blocking incoming connection from certain countries.  Or incoming/outgoing for certain ports (we should block any ssh access from internal to Russia).

For outgoing Web traffic it makes less sense, however I just brought it up for Web as additional thing for a paranoid admin to lock-down.

This is miss leading, the US is the leader because hackers from other countries know they cannot create their links in their own country due to country blocking, essentially this is a product of the country blocking technique used by many admins.  I have a black hole setup, the list started with 1 or 2 IP's a year or so ago, I think it is now at 200, I actually send out a lot of abuse emails to hosting companies, most are pretty good about it and I usually check a few days later from a test setup I have and the link or page is gone. 

The real issue here is cloud platform or web hosting companies not doing their due diligence when letting users sign up, they just kick out a trial server to anyone with an email, I mean what do they expect, here ya go have a virtual linux server to use for 2 weeks at no cost, no worries you seem like a good person.  I should sign up for one for fun as-

First Name: Malicious

Last Name: Hacker

Company: Your Checking Account

Phone Number: 666-666-6666

Email: stole_this_from_someone@ransomeware.com

This is miss leading, the US is the leader because hackers from other countries know they cannot create their links in their own country due to country blocking, essentially this is a product of the country blocking technique used by many admins.  I have a black hole setup, the list started with 1 or 2 IP's a year or so ago, I think it is now at 200, I actually send out a lot of abuse emails to hosting companies, most are pretty good about it and I usually check a few days later from a test setup I have and the link or page is gone. 

The real issue here is cloud platform or web hosting companies not doing their due diligence when letting users sign up, they just kick out a trial server to anyone with an email, I mean what do they expect, here ya go have a virtual linux server to use for 2 weeks at no cost, no worries you seem like a good person.  I should sign up for one for fun as-

First Name: Malicious

Last Name: Hacker

Company: Your Checking Account

Phone Number: 666-666-6666

Email: stole_this_from_someone@ransomeware.com