FQDN Support: How does the wildcard "*" (asterisk) match?

AndreasE
Getting noticed

FQDN Support: How does the wildcard "*" (asterisk) match?

On page https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support we learned how FQDN Support works. This feature allows a wildcard character * (= asterisk) in the Destination column which is quite handy for "big" domains like microsoft or windows.

 

But that page does not explain how the pattern matching works exactly.

 

Given one of the following possible strings in Destination column:

*.microsoft.com

*microsoft.com

.microsoft.com

microsoft.com

 

my question would be how the following hostnames (extracted from typical URLs) would match:

w3.microsoft.com

microsoft.com

fakemicrosoft.com

.microsoft.com

 

I'd hate to test all of these one by one. My favourite would be someone from Meraki to add it to the documentation page.

11 REPLIES 11
BrechtSchamp
Kind of a big deal

Good question. Seems like docs about that are indeed lacking. Perhaps @CameronMoody can add some information about that feature to the docs.

Nash
Kind of a big deal

I would assume that it follows similarly to how content filtering uses wildcards.

 

You can always test, if you're not sure, by setting up a FW rule and seeing if it allows certain traffic. Sometimes labbing is your best bet.

BrechtSchamp
Kind of a big deal

Don't think so @Nash as in there the wildcard is evaluated as a literal * when it's put in an url. That would make the example shown in @AndreasE 's link pretty dumb.

Nash
Kind of a big deal

Ugh, perhaps you're right. I would have hoped this was consistent across features.

AndreasE
Getting noticed

I hoped that my question would deserve a test and reply from @BrechtSchamp or @Nash or @CameronMoody after 3 weeks...?

 

@AndreasE  Have you tried asking support?. While community members try to be as helpful as we can we don't have all the answers and support can probably get you an answer pretty quick.

Hi Blake,

 

did you mean "Make a Wish" (on that configuration page) or opening a case (what Customer and what kind of bug/support)?

 

Regrettably, you cannot "Make a Wish" on the documentation pages -- even if they deserve it many times from my past experience!

 

Rgds,

Andreas

Nash
Kind of a big deal

i have open case but TAC support said can't use wildcard but clearly in documentation can use wildcard.

AndreasE
Getting noticed

Hi im,

 

you can use the wildcard "*" (asterisk) in the "Outbound rules", but you cannot use it in the "Cellular Failover rules".

That's maybe the reason for confusion.

 

You should either re-open the case (if it's been closed) or insist on a sufficient answer.

 

Rgds,

AE

why you want to configure in outbound rule Layer 3?

note we did't use cellular

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels