When generating a destination list, it's possible you will see errors if the format of the destination is entered incorrectly. This article describes what can or cannot be in a destination list as well as providing common errors and resolutions.
A destination list is quite literally a list of internet destinations that can be blocked or allowed based on the administrative preferences for the policies applied to the identities within your organization.
A destination is currently defined as an IP or a fully qualified domain name. In upcoming releases, we will allow for the possibility of adding custom URLs to be blocked in a destination list. This article includes errors generated from incorrectly adding a URL, however this feature is currently not available for most customers and is in still in limited availability.
This article briefly outlines what is or isn't acceptable to be added to a destination list at this time and as this information changes, this article will be updated.
What you can add to a destination list
1. Fully qualified domains and subdomains. The protocol is not required (eg: no "http://" needs to be added in front front of the domain).
If you wish to block all subdomains of a domain, add the top level domain name as exampledomain.com
If you wish to only block a subdomain, add the subdomain as subdomain.exampledomain.com
2. IP addresses can be added to an Allow Destination only. These can only be IPv4 and cannot include ranges like /31 or /16 or subnet masks like 255.255.255.0. An example would be 100.100.101.250
What you cannot add to a destination list
1. You cannot add URLs to a destination list. This is a feature we are hoping to implement in the upcoming few months but as of this writing (July 2017), the ability to allow or block URLs is not available for most customers. For those customers that do have it, this article covers errors you might see.
2. You cannot add URLs that end in file names, such as "www.domain.com/file.exe"
3. You cannot add wildcards. A wildcard is implicit in the way DNS is structured, so adding a domain covers all of the subdomains and there is no reason to add *.domain.com to cover this.
The custom URL destination block lists feature enables Umbrella to extend a domain level block list to encompass full and partial URLs. In turn, this allows you to block certain portions of a website based specifically on the full or partial URL. However, there are limitations and it's possible that the configuration of your destination lists might result in error messages.
NOTE: The feature described in this article is currently not available for most customers and is in early release. For more information, please read: https://docs.umbrella.com/product/umbrella/custom-url-destination-list-how-to
For more information about guidelines that must be followed to ensure that the URL you are entering is actually the one you want blocked, see Custom URL Destination Normalization
|URLs in allow lists are not currently supported. Consider adding the domain only instead.||You'll get this error message if you add a URL to an allow list. Remove the URL and replace it with the domain for that URL.||We are considering adding custom allowed URLs in the future. Please submit a feature request if you would like to see this feature added to Umbrella.|
|Please check to confirm that the URL was entered correctly.||There was a problem with the URL, either in the domain, path or query. Review your URL for legal characters and URL composition. Additionally, you may enter a partial URL to leverage right-side wildcarding. For more information, see Custom URL Destination List How-To.||We adhere to RFC-3986.|
|The supplied URL belongs to a domain that does not present a security concern but may impact Umbrella performance if proxied. Consider adding the domain only instead.||URL matches the high-volume domain list. Consider blocking the domain if you don't trust the destination.||High volume domains do not present a security risk themselves and do not require additional scrutiny.|
|The supplied destination matches the Umbrella global allow list and cannot be saved.||The destination matches the protected allow list. If this error is occurring on a URL, consider blocking the domain if you don't trust the destination. If you're not sure why this destination is considered protected, please contact support.||Destinations in the protected allow list either host services other than HTTP and cannot be proxied or are critical to Umbrella operations.|
|Only ASCII characters can be used for defining URLs.||The URL contains non-ASCII characters. Try percent-encoding the URL or block the domain.||The Intelligent Proxy currently does not support non-ASCII characters. Please submit a feature request if you would like non-ASCII characters supported in Umbrella.|
|There was an issue with one or more of the destinations in the uploaded list.||This is a bulk upload error message. One or more of the URLs or domains supplied in the uploaded list match one of the error conditions above.
Umbrella should provide you with a link to download a list of destinations that could not be uploaded. Please correct or remove the destinations from your bulk upload list and try again.
|Umbrella will not write uploaded destinations to the database unless all uploaded destinations can be accepted.|
|Invalid destination.||No action can be taken at this time. This is a generic error message.||The supplied destination cannot be accepted by Umbrella. You have encountered an error condition Umbrella cannot account for. Please log a case with support so that we can address this error condition.|