Approved/Blocked Lists Parent topic

The approved and blocked lists allow traffic to override the defined policies, web reputation, and advanced threat protection settings.
If authentication is enabled, the approved and blocked lists are matched after authentication. The end user has already finished authentication before entries are matched in the approved and blocked lists.
Note
Note
You cannot use the Approved List to bypass authentication. However, you can use a bypass policy (destination IP addresses) to bypass authentication.
By default, Deep Discovery Web Inspector automatically determines whether to add an input entry as a Server IP address match, a domain match, a URL match, or a File SHA1 object type.
Instead of using auto mode, you can use advanced options to manually specify the object type when adding the entry.

Match Entries

Keep the following in mind when adding entries to a list:
  • The approved list takes precedence over the blocked list.
  • An asterisk (*) denotes a wild card.
  • You can add multiple entries to the approved or blocked list at the same time by using a delimiter between each entry.
    Valid delimiters are semicolon (;), comma (,), or linefeed (\r, \n, or \r\n).
Match Type Description Examples
Auto
You can let Deep Discovery Web Inspector automatically determine the object type when adding an entry to the approved and blocked lists.
Domain and URL
  • Deep Discovery Web Inspector matches the traffic if the site domain+port+path string matches the input keyword.
  • Input entries are protocol insensitive.
    Deep Discovery Web Inspector automatically removes the protocol from the input string.
  • You can use wild cards for intermediate position matches.
  • If the input entry does not contain a wild card, Deep Discovery Web Inspector matches the entire domain with a wild card at the start and end.
  • The domain part of the input string is case-insensitive; however, the path part of a URL is case sensitive.
Server IP address
  • You can input an IP address entry as a single entry or delimited list of IP addresses, Class InterDomain Routing (CIDR) networks, or IP address ranges.
File (SHA1)
  • Deep Discovery Web Inspector adds the SHA1 string as a File (SHA1) type.
  • www.test.com matches sites *www.test.com* and *www.test.com.cn.
  • www.t*est.com matches sites www.ttest.com, www.test.com, and a.www.ttest.com.b.
  • www.test.com/path1 matches site a.www.test.com/path1/path2.
  • 192.168.1.1, 10.0.1.100/24,10.0.0.1-10.0.0.100
  • 058f2491a3e13ce2078b7b5e3e62c59dc518ecbb
Server IP address
You can input an IP address entry as a single entry or delimited list of IP addresses, Class InterDomain Routing (CIDR) networks, or IP address ranges.
  • 192.168.1.2
  • 192.168.1.1, 10.0.1.100/24,10.0.0.1-10.0.0.100
Domain
  • A match is found if the site domain for the traffic matches the input domain name.
  • If the input entry does not contain a wild card, Deep Discovery Web Inspector matches the entire domain only.
  • Traffic matches are protocol sensitive if the input record contains the protocol.
    If the input entry does not contain the protocol, traffic matches include both HTTP and HTTPS traffic.
  • Wild cards can be used to do prefix, intermediate, or suffix position matches.
  • An IP address is a valid entry for a domain match.
  • The domain input string is case-insensitive.
  • www.test.com matches the domain site www.test.com only.
  • https://www.test.com matches the domain site https://www.test.com but not http://www.test.com.
  • *www.test.com matches any domain that ends with www.test.com.
  • www.test.com* matches any domain that starts with www.test.com.
  • www.t*est.com matches the domainwww.ttest.com and www.test.com
  • www.test.c?m matches www.test.com.
URL
  • Deep Discovery Web Inspector matches the traffic if the URL's site domain+port+path+query parameter matches the input URL.
  • If the input entry does not contain a wild card, Deep Discovery Web Inspector matches the entire URL only.
  • Traffic matches are protocol sensitive if the input record contains the protocol.
    If the input entry does not contain the protocol, traffic matches include both HTTP and HTTPS traffic.
  • Wild cards can be used to do prefix, intermediate, or suffix position matches.
  • The domain part of the input string is case-insensitive.
.
  • www.test.com/t matches the URL www.test.com/t only.
    The entry does not match the URLs www.test.com.cn/test or www.test.com/test.
  • https://www.test.com/t matches the URL https://www.test.com/t only but not http://www.test.com/t.
  • www.test.com* matches the URLs www.test.com/, www.test.com/test, and www.test.com.cn/test
  • www.test.com matches the URL www.test.com only.
    www.test.com.cn/test and www.test.com/test are not matches.
  • *www.test.com matches server.www.test.com.
File (SHA1)
  • Deep Discovery Web Inspector adds the SHA1 string as a File (SHA1) type.
058f2491a3e13ce2078b7b5e3e62c59dc518ecbb