Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wildcard usage methods. Is it available ?

Hi All,

General built-in Web categories are not enough for creating special in-depth web policies for non english spoken countries.
Other than english languages foreign ones has its unique words, sentences even letters affects the domain names accordingly.
These variables creates hardness for preparing secure network through policies.

Is there any option available to resolve this kind of requirements in the Sophos Xg devices?

How to use wildcards and/or asterisks in Sophos Firewall and/or Cloud Endpoint Protection?

Exanple usage;


To block any host for site.com use:
*.site.com

Another example when streaming-media category is blocked, The settings below allow access to youtube.

*.youtube.com
*.ytimg.com
*.youtube.com/watch
*.googlevideo.com
Then following characters are considered separators:
./?&=;+
Every substring that is separated by the characters listed above is considered a token. A token can be any number of ASCII characters that does not contain any separator character or *. For example, the following patterns are valid:
*.yahoo.com   => Tokens are: "*", "yahoo" and "com" 
www.*.com     => Tokens are: "www", "*" and "com"
www.yahoo.com/search=*  => Tokens are: "www", "yahoo", "com", "search", "*"
Thanks all.


This thread was automatically locked due to age.
Parents Reply Children
  • @Arie: How?
    can you give us a hint?

  • That is somehow not entire true. The problem is the detail: 

    Let me recap the wildcard situation quickly: 

    Most likely people ask for wildcards for "web based traffic". --> I want to allow everything coming from Sophos.com to be allowed. So all sub domains etc. 

    You can approach this in SFOS differently. --> DPI (TLS Decryption), Web exception or Firewall Rule. 

    In UTM, the web proxy was the only approach. And the Web Proxy allows the same kind of regex like SFOS does. But in fact, the UTM does not allow wildcard in firewall for firewall traffic (So bypass the firewall with *.sophos.com). 

    In SFOS, you can simply create a firewall rule: LAN to WAN with *.sophos.com and allow everything. 

    But as you move on a domain level, it gets complicated to interact with a URL. So if you want to allow Sophos.com/*, you cannot do this for Decryption. The answer is simply: If the product decide to decrypt the traffic, you have to do this on the first packet. So the first packet is your only chance to decide whether you decrypt or leave the packet. The first packet does not include a GET sophos.com/test --> Infact it is a simple TLS Handshake packet. See: https://tls.ulfheim.net/ There is something called SNI, which can give you another chance to include a domain as well (Sophos.com for example). But not a URL.