Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 3 answers
  • Subscribers 31 subscribers
  • Views 3704 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wildcard usage methods. Is it available ?

Can carmack

Hi All,

General built-in Web categories are not enough for creating special in-depth web policies for non english spoken countries.
Other than english languages foreign ones has its unique words, sentences even letters affects the domain names accordingly.
These variables creates hardness for preparing secure network through policies.

Is there any option available to resolve this kind of requirements in the Sophos Xg devices?

How to use wildcards and/or asterisks in Sophos Firewall and/or Cloud Endpoint Protection?

Exanple usage;

To block any host for site.com use: 
*.site.com

Another example when streaming-media category is blocked, The settings below allow access to youtube.

*.youtube.com
*.ytimg.com
*.youtube.com/watch
*.googlevideo.com
Then following characters are considered separators: 
./?&=;+
Every substring that is separated by the characters listed above is considered a token. A token can be any number of ASCII characters that does not contain any separator character or *. For example, the following patterns are valid:
*.yahoo.com   => Tokens are: "*", "yahoo" and "com" 
www.*.com     => Tokens are: "www", "*" and "com"
www.yahoo.com/search=*  => Tokens are: "www", "yahoo", "com", "search", "*"
Thanks all.


This thread was automatically locked due to age.
  • 0

    Hello Can,

    Thank you for contacting the Sophos Community.

    The XG only supports the use of ASCII characters, supporting another type of Character would be a Feature Request.

    There’s however an RFC that goes on how to convert non-ASCII characters( RFC 3490).

    Regards,

  • 0

    As you can read in the firewall help:

    "You must enter a valid domain name. Regular expressions are not allowed."

    So you can use the following:

    site.com to block any host from this domain

    or

    host.site.com to block a specific host

  • 0 in reply to dirkkotte

    If you're using URL Groups or Web Categories, while creating a new group with "site.com", not only the host domain will be blocked but It will also work as an wildcard.

    If you use "new.site.com" only the subdomain will be blocked.

    All of this applies on both Web Filtering and SSL/TLS Inspection Rules.

  • 0 in reply to emmosophos

    Thanks   Can we use ASCII-chars only as a wildcard in Sophos Firewall ?

    Also using Sophos Endpoint protection. If this kind of feature supported in there that suits too.


    May you give an example usage.  

    For example i am in need of ;  

    *watchlive.* > A rule syntax includes all the domain names which "watchlive" sentence in it.  

    0day*.* > A rule syntax includes all the domain names which "0day" sentence in it.    

  • 0 in reply to dirkkotte

    Hi

    As you know technology is like a living organism. Its always up to dated so it presents new features every day. So Sophos products family also precious member of this market.

    May you remind me the text as you mentioned from which help file. Which version did you contexted from.


    Is there any other ways to get the aimed result as;

    *watchlive.* > A rule syntax includes in the end of all the domain names which "watchlive" sentence in it.  

    0day*.* > A rule syntax includes in front of all the domain names which "0day" sentence in it.    

    If this essential feature is absent, that is sad.
    Thanks.

  • 0

    If I'm not mistaken Sophos UTM supports this.

  • 0 in reply to Prism

    Thanks

    Yes in use of Web Categories. These cats are especially for english-spoken countries i'd say.
    So those pre-compiled lists could not satisfy the needs for non-english spoken zones.

    There are lots of new web sites appear like a plop every day for getting over the blockage of dmca or government censorship.
    So it is very hard to track the new domains via logs.
    Yes censorship occurs in these regions.


    if there is no wildcard method available is there any other way to get this kind of job done?
    Different approach; maybe via another mechanism..

  • 0 in reply to Arie

    @Arie: How?
    can you give us a hint?

  • 0 in reply to dirkkotte

    That is somehow not entire true. The problem is the detail: 

    Let me recap the wildcard situation quickly: 

    Most likely people ask for wildcards for "web based traffic". --> I want to allow everything coming from Sophos.com to be allowed. So all sub domains etc. 

    You can approach this in SFOS differently. --> DPI (TLS Decryption), Web exception or Firewall Rule. 

    In UTM, the web proxy was the only approach. And the Web Proxy allows the same kind of regex like SFOS does. But in fact, the UTM does not allow wildcard in firewall for firewall traffic (So bypass the firewall with *.sophos.com). 

    In SFOS, you can simply create a firewall rule: LAN to WAN with *.sophos.com and allow everything. 

    But as you move on a domain level, it gets complicated to interact with a URL. So if you want to allow Sophos.com/*, you cannot do this for Decryption. The answer is simply: If the product decide to decrypt the traffic, you have to do this on the first packet. So the first packet is your only chance to decide whether you decrypt or leave the packet. The first packet does not include a GET sophos.com/test --> Infact it is a simple TLS Handshake packet. See: https://tls.ulfheim.net/ There is something called SNI, which can give you another chance to include a domain as well (Sophos.com for example). But not a URL.