Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
What is the simplest way to block all users from visiting a TLD? This seems like a basic functionality but I haven't found a good answer.
I know this works in UTM hoping XG
You can also use country blocking, you may be aware but figure I would mention it.
In reply to badrobot:
I have some regex options but not sure where they would go in the XG to apply to any rules.
You can use those regex for allowing on XG at Web > Exceptions but for blocking a top level domain you can use firewall rules
From Lan to Wan
From Any to FQDN Host - *.ru
Log if you want.
There are some other options like creating url groups, or web categories -Need to write all domains and subdomains in this- but i always prefer Firewall Rule for this.
In reply to Eren Ertas:
Trying to add a FQDN Host for "*.ru" (no quotes) but it won't allow it, showing this:
You must enter a valid value for FQDN
If working with this REGEX Snippets, then the pattern for an URL with Path behind should be added as well (for Example mydomain.ru/mypage/index.php wouldnt be affected by this REGEX Snippets above). Afterwards this Regex Snippet can be used to create an URL Group that afterwards can be used in Webfilter Policy.
By the way... Why do you want to block all *.ru pages? not all of those are bad... I don't se a usecase for something like this :-S
In reply to HuberChristian:
Please try adding one of those snippets in a URL Group entry. The Sophos won't accept it: You must enter a valid domain name
Some TLDs simply aren't hosting anything that would be needed in our line of business. If that changes we have a process for whitelisting.
Good Point, I have been playing around with it, https://regex101.com/r/UPBMbG/1/tests has a nice engine for testing if anyone is interested.
Since we are not really trying to block a TLD but a domain suffix I wonder if this would work
Have not tested it though.
It does not. It simply won't accept regex entries.
In reply to ken9000:
Custom categories and URL Groups do not support RegEx.
See here for more details:
I'm not 100% sure but I believe a URL Group just containing "ru" will do it.
FQDN Host objects appear to not like a top level domain.
You should also consider country blocking (uses GeoIP). Set the Destination Zone to WAN and the Destination Network to Russian Federation. This will block anything hosted in Russia but not .ru sites that are hosted elsewhere.
In reply to Michael Dunn:
Hmm, maybe you nailed it. "ru" is accepted and seems to block "mail.ru" but not "rushlimbaugh.com" so maybe that will do the trick. Thanks!
I would be careful of Country Blocking, all be it some are obvious i.e. you probably do not do anything with Russia or China and most businesses are not going to establish a data hub there with all the malicious hacking going on from either of them. However you need to know your countries if you are doing this, for example Microsoft has data hubs in Singapore, Germany and many other countries that can cause issues with Office 365. Many AWS servers are not always native to the US either, anyway good practice but don't just blanket the planet, do a few at a time and check things in the logs to see what is being blocked.
Additionally not all .ru servers are in Russia some are based in the US.
In reply to rfcat_vk:
These points are understood. We simply don't do any legit business requiring access to many TLDs. There are many phishing and Emotet download attempts using 3rd-world country domains, for example.
In our business users have no need to be on sites outside Australia, Japan, NZ, Singapore etc so for them to be going to China, Russia, etc is really a no no.
That said we all understand not all these locations host bad content.
An interesting fact from a recent Webroot report:
Russia only hosts 3% of the bad URLs and China 5%
The really worrying thing is:
In reply to M8ey:
Clearly the problem is the northern hemisphere. In fact, given that 63% are hosted in the US, just block that country. :)