Technical Tip: FortiProxy 7.0 GUI tab 'URL match' will match the FQDNs top-down

This article describes that since FortiProxy version 7.0, the FQDNs configured in the GUI tab 'URL match' or in the CLI option '# config web-proxy url-match' will match top-down.

This means that the order in which the FDQNs are added will matter for the correct matching, the first hit will match.

For FortiProxy version 7.0.x and above.

In version 2.0.x the configured FQDNs did not match top-down.

The order of the added FQDNs can only be changed via CLI.

There is no option in the GUI to modify the order.

In the example below traffic for the subdomains of domain.tld should not be sent over the proxy forwarder.

While traffic for domain.tld should be sent over the upstream proxy.

Due to the order the domains subdomain1.domain.tld and subdomain2.domain.tld will NOT match as domain.tld will match first.

# config web-proxy url-match
    edit "domain.tld"
        set url-pattern "domain.tld" <------Will match first.
        set forward-server "my_forward_proxy"
    next
        edit "no_proxy_for-subdomain1.domain.tld"
            set url-pattern "subdomain1.domain.tld" <----- Will not match.
    next
        edit "no_proxy_for-subdomain2.domain.tld"
            set url-pattern "subdomain2.domain.tld" <----- Will not match.
        next
    next
end

To resolve this modify the order as follows and move domain.tld after subdomain2.domain.tld :

# config web-proxy url-match
    edit "no_proxy_for-subdomain1.domain.tld"
        set url-pattern "subdomain1.domain.tld"
    next
        edit "no_proxy_for-subdomain2.domain.tld"
            set url-pattern "subdomain2.domain.tld"
        next

                edit "domain.tld"
                    set url-pattern "domain.tld"
                    set forward-server "my_forward_proxy"
                next
        next
end

Note.

The CLI offers the 'move' command to move domain.tld after the subdomain2.domain.tld

# move domain.tld after subdomain2.domain.tld