End-of-Life (EoL)

Wildcard Guidelines for URL Category Exception Lists

You can use wildcards in URL Category exception lists to easily configure a single entry to match to multiple website subdomains and pages, without having to specify exact subdomains and pages.
Follow these guidelines when creating wildcard entries:
  • The following characters are considered token separators: . / ? & = ; +
  • Every string separated by one or two of these characters is a token. Use wildcard characters as token placeholders, indicating that a specific token can contain any value.
  • You can use either an asterisk (*) or a caret (^) in place of a token, to indicate a wildcard value.
  • Wildcard characters must be the only character within a token; however, an entry can contain multiple wildcards.
When to use asterisk (*) wildcards:
Use an asterisk (*) wildcard to indicate one or multiple variable subdomains. For example, to specify enforcement for Palo Alto Network’s website regardless of the domain extension used, which might be one or two subdomains depending on location, you would add the entry:
. This entry would match to both www.paloaltonetworks.com and www.paloaltonetworks.co.uk.
When to use caret (^) wildcards:
Use caret (^) wildcards to indicate one variable subdomain, and might be helpful when targeting an exact number of subdomains for enforcement. For example,
matches only to URLs like
. This entry wouldn’t match to a site like
, where the URL includes an additional subdomain.
Do not create an entry with consecutive asterisk (*) wildcards or more than nine consecutive caret (^) wildcards—entries like these can affect firewall performance.
For example, do not add an entry like mail.*.*.com; instead, depending on the range of websites you want to control access to, enter
. An entry like
matches to a greater number of sites than
matches to sites with any number of subdomains and
matches to sites with exactly two subdomains.

Recommended For You