Wildcard FQDN filtering


I’m interested how exactly wildcard filtering works with cloud firewall ? Let’s say I want to allow SSH to *.company.com. If I read the documentation right I can’t do this with URLs but not with FQDN. I’m interested in the reason for the diferentiation. Any usefull input is appriciated to help me understand the firewall mechanism better.

Is this because you are not inspecting DNS and without the host header there is not way to tell ?
Can you inspect DNS or is there any other way to allow wildcard FQDN for non-HTTP apps ?

1 Like

Yes, you’ve got it roughly right but we do fully inspect DNS via our DNS Control function.

Here is a full explanation of the current behavioral differences: Behavioral differences in firewall rules with FQDNs and IPs defined directly vs as referenced objects

The ability to support wildcards in Cloud Firewall FQDN policy is actually available on our beta instances today if your organization has access to such a tenant. As you suspect, to support the wildcarding we will need to have DNS directed through the ZIA Zero Trust Exchange (SME, ZEN, Public Service Edge). The feature should be available before the end of the year in all production clouds.


Thank you, exactly what I was looking for.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.