You can use placeholder characters in domain lists to configure a single entry to match against multiple website subdomains, pages, including entire top-level domains, as well as matches to specific web pages.
Follow these guidelines when creating domain list entries:
- Enter each domain name in a new line; URLs or IP addresses are not supported in this list.
- Do not prefix the domain name with the protocol, http:// or https://.
- The following characters are considered token separators: . / ? & = ; +Every string separated by one or two of these characters is a token. Use wildcard characters as token placeholders, indicating that a specific token can contain any value.
- You can use an asterisk (*) to indicate a wildcard value.
- You can use a caret (^) to indicate an exact match value.
- Wildcard characters must be the only character within a token; however, an entry can contain multiple wildcards.
When to use asterisk (*) wildcards:
Use an asterisk (*) wildcard to indicate one or multiple variable subdomains. For example, to specify enforcement for Palo Alto Network’s website regardless of the domain extension used, which might be one or two subdomains depending on location, you would add the entry: *.paloaltonetworks.com. This entry would match to both docs.paloaltonetworks.com and support.paloaltonetworks.com.
You can also use this wildcard to indicate entire top-level domains. For example, to specify enforcement of a TLD named .work , you would add the entry: *.work. This matches against all websites ending with .work.
The (*) wildcard can only be prepended in domain entries.
When to use a caret (^) character:
Use carets (^) to indicate an exact match of a subdomain. For example, ^paloaltonetworks.com matches only to paloaltonetworks.com. This entry does not match to any other site.
EDL Domain List—Wildcard Examples
The following tables lists examples of EDL domain list entries using wildcards, and examples of the sites that these entries match to.
|EDL Domain List Entry||Matching Sites|
|*.click||matches against all websites ending with a top-level domain of .click.|
External Dynamic List Enhancements
EDL enhancements in PAN-OS 9.0 include increased EDL capacity limits, list prioritization, and the ability to include subdomains and use exact matches and top-level entries. ...
DNS Proxy Rule and FQDN Matching
DNS Proxy Rule and FQDN Matching When you configure the firewall with a DNS Proxy Object that uses DNS proxy rules, the firewall compares an ...
Ignore User List
Ignore User List Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Ignore User List The ignore user list defines which user accounts ...
HTTP Header Insertion
HTTP Header Insertion To enable the firewall to manage web application access by inserting HTTP headers and their values into HTTP requests, select Objects Security ...
Exclude a Server from Decryption
You can add applications that break decryption for technical reasons and aren’t already on the SSL Decryption Exclusion list such as internal custom applications to ...
IKE Gateway General Tab
IKE Gateway General Tab Network > Network Profiles > IKE Gateways > General The following table describes the beginning settings to configure an IKE gateway ...
Objects > Addresses
Objects > Addresses An address object can include either IPv4 or IPv6 addresses (a single IP address, a range of addresses, or a subnet), an ...
Device > Certificate Management > SSL Decryption Exclusion
Device > Certificate Management > SSL Decryption Exclusion View and manage SSL decryption exclusions . There are two types of decryption exclusions, predefined exclusions and ...