Approved/Blocked Lists

Views:

The approved and blocked lists allow traffic to override the defined policies, web reputation, and advanced threat protection settings.

If authentication is enabled, the approved and blocked lists are matched after authentication. The end user has already finished authentication before entries are matched in the approved and blocked lists.

Note

You cannot use the Approved List to bypass authentication. However, you can use a bypass policy (destination IP addresses) to bypass authentication.

By default, Deep Discovery Web Inspector automatically determines whether to add an input entry as a Server IP address match, a domain match, a URL match, or a File SHA1 object type.

Instead of using auto mode, you can use advanced options to manually specify the object type when adding the entry.

Match Entries

Keep the following in mind when adding entries to a list:

The approved list takes precedence over the blocked list.
An asterisk (*) denotes a wild card.
You can add multiple entries to the approved or blocked list at the same time by using a delimiter between each entry.

Valid delimiters are semicolon (;), comma (,), or linefeed (\r, \n, or \r\n).

Match Type	Description	Examples
Auto	You can let Deep Discovery Web Inspector automatically determine the object type when adding an entry to the approved and blocked lists. Domain and URL Deep Discovery Web Inspector matches the traffic if the site `domain+port+path` string matches the input keyword. Input entries are protocol insensitive. Deep Discovery Web Inspector automatically removes the protocol from the input string. You can use wild cards for intermediate position matches. If the input entry does not contain a wild card, Deep Discovery Web Inspector matches the entire domain with a wild card at the start and end. The domain part of the input string is case-insensitive; however, the path part of a URL is case sensitive. Server IP address You can input an IP address entry as a single entry or delimited list of IP addresses, Class InterDomain Routing (CIDR) networks, or IP address ranges. File (SHA1) Deep Discovery Web Inspector adds the SHA1 string as a File (SHA1) type.	`www.test.com` matches sites www.test.com and www.test.com.cn. `www.test.com` matches sites www.ttest.com, www.test.com, and a.www.ttest.com.b. `www.test.com/path1` matches site a.www.test.com/path1/path2. 192.168.1.1, 10.0.1.100/24,10.0.0.1-10.0.0.100 `058f2491a3e13ce2078b7b5e3e62c59dc518ecbb`
Server IP address	You can input an IP address entry as a single entry or delimited list of IP addresses, Class InterDomain Routing (CIDR) networks, or IP address ranges.	192.168.1.2 192.168.1.1, 10.0.1.100/24,10.0.0.1-10.0.0.100
Domain	A match is found if the site domain for the traffic matches the input domain name. If the input entry does not contain a wild card, Deep Discovery Web Inspector matches the entire domain only. Traffic matches are protocol sensitive if the input record contains the protocol. If the input entry does not contain the protocol, traffic matches include both HTTP and HTTPS traffic. Wild cards can be used to do prefix, intermediate, or suffix position matches. An IP address is a valid entry for a domain match. The domain input string is case-insensitive.	`www.test.com` matches the domain site www.test.com only. `https://www.test.com` matches the domain site https://www.test.com but not http://www.test.com. `www.test.com` matches any domain that ends with www.test.com. `www.test.com` matches any domain that starts with www.test.com. `www.t*est.com` matches the domainwww.ttest.com and www.test.com `www.test.c?m` matches www.test.com.
URL	Deep Discovery Web Inspector matches the traffic if the URL's `site domain+port+path+query` parameter matches the input URL. If the input entry does not contain a wild card, Deep Discovery Web Inspector matches the entire URL only. Traffic matches are protocol sensitive if the input record contains the protocol. If the input entry does not contain the protocol, traffic matches include both HTTP and HTTPS traffic. Wild cards can be used to do prefix, intermediate, or suffix position matches. The domain part of the input string is case-insensitive. .	`www.test.com/t` matches the URL www.test.com/t only. The entry does not match the URLs www.test.com.cn/test or www.test.com/test. `https://www.test.com/t` matches the URL https://www.test.com/t only but not http://www.test.com/t. `www.test.com` matches the URLs www.test.com/, www.test.com/test, and www.test.com.cn/test `www.test.com` matches the URL www.test.com only. www.test.com.cn/test and www.test.com/test are not matches. `www.test.com` matches server.www.test.com.
File (SHA1)	Deep Discovery Web Inspector adds the SHA1 string as a File (SHA1) type.	`058f2491a3e13ce2078b7b5e3e62c59dc518ecbb`