URL Filter Format for URLBlocklist and URLAllowlist Policies

URL filtering provides IT admins with powerful tools to manage and control web access for devices within their organization. By implementing these rules and examples, admins can ensure compliance with security policies and regulatory requirements while enabling productive and safe internet usage for users.

The format for defining filters in URLBlocklist and URLAllowlist policies follows a specific pattern:


Components of a URL filter #

  1. Scheme (optional): This field specifies the protocol used in the URL, can be http, https, ftp, chrome, etc, and must be followed by ‘://‘.
  2. Dot prefix (optional): An optional ‘.’ (dot) can prefix the host field to disable subdomain matching.
  3. Host (required): The host field is mandatory and represents a valid hostname or an IP address. It can also be set as ‘*‘. Subdomains can be matched unless disabled by a dot prefix.
  4. Port (optional): An optional port can be specified after the host, and it should be a valid port value ranging from 1 to 65535.
  5. Path (optional): It can optionally follow the port, indicating a specific location within the host. Any string can be used in this field.
  6. Query (optional): It comes at the end of the URL filter, consisting of key-value pairs and key-only tokens delimited by ‘&’.
    • Key-value tokens are separated by ‘=’.
    • A query token can end with ‘*’ to indicate a prefix match.
    • Token order is disregarded during matching.

Special rules and considerations #

  • Path and query are case-sensitive.
  • Custom schemes are supported with restricted patterns (scheme:* and scheme://*).
  • If a ‘#’ reference separator is present, everything after it is ignored.
  • Filters are selected based on the most specific match found:
    • Longest host match is preferred.
    • Filters with non-matching scheme or port are discarded.
    • Longest matching path is selected.
    • Longest set of query tokens are selected.
  • If no valid filter is found, the left-most subdomain is removed from the host and filtering is attempted again.
  • The special ‘*’ host matches all hosts and is searched last.
  • When both blocklist and allowlist filters apply, the allowlist takes precedence.
  • Filters with a ‘.’ prefix match only exact hosts.

Examples #

  • [“”]: Blocks all requests to the domain “” and any subdomains.
  • [“”]: Blocks all HTTP requests to the domain [“”] and any subdomains; other schemes (e.g., HTTPS, FTP) are still allowed.
  • [“”]: Blocks requests to the domain [“”] but not to [“”] or [“”].
  • [“”]: Blocks exactly [“”] and won’t block subdomains.
  • [“*”]: Blocks all requests; only URLs on the allowlist will be permitted.
  • [“*:8080”]: Blocks all requests to port 8080.
  • [“”]: Blocks requests to this exact IP address.
Updated on March 6, 2024
Was this article helpful?

On this page

— talk to an expert —

Schedule a demo