What's the simplest way to block a Top-Level-Domain (*.ru/* for example )in web protection?

What is the simplest way to block all users from visiting a TLD? This seems like a basic functionality but I haven't found a good answer.

  • I know this works in UTM hoping XG

     

    https?://[A-Za-z0-9.-]*\.ru/

    or

    http?://[A-Za-z0-9.-]*\.ru/

     

    You can also use country blocking, you may be aware but figure I would mention it.

  • In reply to badrobot:

    I have some regex options but not sure where they would go in the XG to apply to any rules.

  • In reply to badrobot:

    Hello

    You can use those regex for allowing on XG at Web > Exceptions but for blocking a top level domain you can use firewall rules

    Action Drop

    From Lan to Wan

    From Any to FQDN Host - *.ru

    Log if you want.

    There are some other options like creating url groups, or web categories -Need to write all domains and subdomains in this- but i always prefer Firewall Rule for this.

  • In reply to Eren Ertas:

    Trying to add a FQDN Host for "*.ru" (no quotes) but it won't allow it, showing this:

     

    You must enter a valid value for FQDN

  • In reply to badrobot:

    badrobot

     https?://[A-Za-z0-9.-]*\.ru/

    http?://[A-Za-z0-9.-]*\.ru/

    If working with this REGEX Snippets, then the pattern for an URL with Path behind should be added as well (for Example mydomain.ru/mypage/index.php wouldnt be affected by this REGEX Snippets above). Afterwards this Regex Snippet can be used to create an URL Group that afterwards can be used in Webfilter Policy.

     

    By the way... Why do you want to block all *.ru pages? not all of those are bad... I don't se a usecase for something like this :-S

  • In reply to HuberChristian:

    Please try adding one of those snippets in a URL Group entry. The Sophos won't accept it: You must enter a valid domain name

    Some TLDs simply aren't hosting anything that would be needed in our line of business. If that changes we have a process for whitelisting.

  • In reply to HuberChristian:

    Good Point, I have been playing around with it, https://regex101.com/r/UPBMbG/1/tests  has a nice engine for testing if anyone is interested.

     

    Since we are not really trying to block a TLD but a domain suffix I wonder if this would work 

     

    [.](ru)

     

    Have not tested it though.

  • In reply to badrobot:

    It does not. It simply won't accept regex entries.

  • In reply to ken9000:

    Custom categories and URL Groups do not support RegEx.

    See here for more details:

    https://community.sophos.com/kb/en-us/127270

    I'm not 100% sure but I believe a URL Group just containing "ru" will do it.

     

    FQDN Host objects appear to not like a top level domain.

     

    You should also consider country blocking (uses GeoIP).  Set the Destination Zone to WAN and the Destination Network to Russian Federation.  This will block anything hosted in Russia but not .ru sites that are hosted elsewhere.

     

  • In reply to Michael Dunn:

    Hmm, maybe you nailed it. "ru" is accepted and seems to block "mail.ru" but not "rushlimbaugh.com" so maybe that will do the trick. Thanks!

  • In reply to Michael Dunn:

    I would be careful of Country Blocking, all be it some are obvious i.e. you probably do not do anything with Russia or China and most businesses are not going to establish a data hub there with all the malicious hacking going on from either of them.  However you need to know your countries if you are doing this, for example Microsoft has data hubs in Singapore, Germany and many other countries that can cause issues with Office 365.  Many AWS servers are not always native to the US either, anyway good practice but don't just blanket the planet, do a few at a time and check things in the logs to see what is being blocked.

     

  • In reply to badrobot:

    Additionally not all .ru servers are in Russia some are based in the US.

    Ian

  • In reply to rfcat_vk:

    These points are understood. We simply don't do any legit business requiring access to many TLDs. There are many phishing and Emotet download attempts using 3rd-world country domains, for example.

  • In reply to ken9000:

    In our business users have no need to be on sites outside Australia, Japan, NZ, Singapore etc so for them to be going to China, Russia, etc is really a no no.

    That said we all understand not all these locations host bad content.

    An interesting fact from a recent Webroot report:

    Russia only hosts 3% of the bad URLs and China 5%

    The really worrying thing is:

    A massive 40% of malicious URLs
    were found on good domains.
     
    So we try and manually block traffic etc but we will still be under attack from a known good domain anyways.
     
    Slightly off topic but have a read of the report here:
     
  • In reply to M8ey:

    Clearly the problem is the northern hemisphere.  In fact, given that 63% are hosted in the US, just block that country.  :)