{"_id":"58c83a6b5182a60f00f55e52","version":{"_id":"5734a225e4580a200084d5d4","project":"5626d7263a4c6b0d00c454ac","__v":3,"createdAt":"2016-05-12T15:32:53.005Z","releaseDate":"2016-05-12T15:32:53.005Z","categories":["5734a225e4580a200084d5d5","5734a225e4580a200084d5d6","5734a225e4580a200084d5d7","5734a225e4580a200084d5d8","5734a225e4580a200084d5d9","5734a225e4580a200084d5da","5734a225e4580a200084d5db","578885b59f5d5f3600835274","57c465fdf447ab0e001db8df"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.5","version":"1.0.5"},"user":"560b40145148ba0d009bd0b5","project":"5626d7263a4c6b0d00c454ac","category":{"_id":"5734a225e4580a200084d5d5","__v":0,"version":"5734a225e4580a200084d5d4","project":"5626d7263a4c6b0d00c454ac","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-10-21T00:07:03.426Z","from_sync":false,"order":0,"slug":"getting-started-with-umbrella","title":"Getting Started with Umbrella"},"parentDoc":null,"__v":0,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2017-03-14T18:46:03.406Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":8,"body":"## Overview\n\nCustom URL Destination lists allow Umbrella to extend a domain level destination list to encompass full URLs.  In turn, this allows you to block or allow certain parts of a website based specifically on the full URL of that portion of the website.\n\n#### Feature release timing and Umbrella packages\n\nThe custom URL destination feature is only available for customers with the Umbrella Insights or Umbrella Platform packages. [Click here to read more about packages](https://umbrella.cisco.com/products/packages) and contact your Cisco account representative with any questions. \n\nThis functionality is being slowly rolled out to individual customers over an extended period of time.  Our engineering and networking teams are scaling the service out organically and on-boarding customers slowly to this feature to ensure reliable service as we grow. As a result, you may not see the feature in your dashboard even if you have the package available. The feature will become available to you over the upcoming weeks.  \n\n## Adding a URL \n\nTo block a URL, simply enter it into a blocked destination list, or create a new blocked destination list just for URLs. To do this, navigate to **Policies > Destination Lists**, expand a Destination list, add a URL and then click **Save.**  In order for this to work as expected you must adhere to the requirements listed in the sections below.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/030660c-new_custom_URL.jpg\",\n        \"new_custom_URL.jpg\",\n        945,\n        653,\n        \"#dfe2e5\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n## Implementing Destination Lists with URLs to be blocked.\n\nIn order for the Umbrella infrastructure to inspect a URL to determine if it matches the ones defined in your blocked destination list, **you must have the following enabled:**\n\n* The intelligent proxy functionality and SSL decryption must be enabled as a part of the policy. For more information, see [Step 3: Pick What You Want This Policy To Do](https://docs.umbrella.com/product/umbrella/customize-your-policies-1/#section-step-3-pick-what-you-want-this-policy-to-do-).\n* The Cisco Umbrella Root CA must be installed on the computer(s) using this policy—ensures HTTPS connections are filtered, too. For more information, see [Cisco Certificate Import Information](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/).\n* It’s important to specify a URL correctly so that what’s in your policy matches what the user is trying to access (and is subsequently blocked). For more information on what URLs you can or can’t use, please read on further. \n\nThe reason that SSL decryption and the certificate are required is two fold.  First, the certificate is required in order to prevent problems when accessing SSL sites through the intelligent proxy and for SSL decryption to work. Second, the custom URL destination list is protocol agnostic.  We don't expect that it's possible to know which protocol a website will use in advance and adding a protocol in front of a URL is not required when defining a destination list.  Instead, with the SSL decryption enabled, we're able to block a URL whether it's HTTP or HTTPS and minimize the difficulty of creating a destination list on your end.\n \n### URL Normalization for Destination Lists\n\nUmbrella URL Filtering conforms to URL Normalization standards. There are certain guidelines that must be followed in order to ensure the URL you are entering is actually what you want blocked or allowed. These can sometimes mean that the way a URL is displayed in the browser's address bar is not how it should be specified in a destination list.\n \nThis is not done automatically. You must format the URL following the guidelines below in order for it to be blocked as expected.  For guidelines, (read further down in this section.)[https://docs.umbrella.com/product/umbrella/custom-url-destination-list-how-to/#section-url-normalization]\n\nFor a list of errors generated by incorrect URL addition or other reasons, see [Understanding Destination list error messages for custom block URLs](https://support.umbrella.com/hc/en-us/articles/115006964927-Understanding-Custom-URL-Error-Messages).\n\n### Troubleshooting if a URL is not blocked\n\nIf you do not see the block page when navigating to a URL you expect to be blocked, ensure that the policy with destination list enabled is higher in the policy order than other policies the enrolled identity(ies) are configured for.\n\nWait upwards to five minutes before testing again after any policy changes to ensure enough time has passed for the changes to be replicated throughout the Umbrella infrastructure.\n\nIf problems persist, try clearing the local browser cache on your machine, or even your machine's DNS cache (a reboot will accomplish this).\n \nBeyond that, check to see if you have a local (on-premise) proxy that is interfering. For more information, [read this](https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy).\nAnd be sure to that the Cisco Umbrella Root CA is installed in case of cert errors. For more information, [read this](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/).\n\nIt's worth checking the reports and ensuring your URL is correctly normalized. The next two sections will cover this.\n\n### Reporting for blocked URLs\n\nA URL is something you can filter against in the Activity Search in the upper righthand corner:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/568769f-reporting-screenshot.png\",\n        \"reporting-screenshot.png\",\n        304,\n        176,\n        \"#eeeeee\"\n      ],\n      \"sizing\": \"original\"\n    }\n  ]\n}\n[/block]\nOnce you've filtered for URLs, then just add another filter to show the custom block URLs that belong to your destination lists:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/2c356a3-Screen_Shot_2017-06-27_at_3.53.35_PM.png\",\n        \"Screen Shot 2017-06-27 at 3.53.35 PM.png\",\n        2542,\n        504,\n        \"#f3f3f3\"\n      ]\n    }\n  ]\n}\n[/block]\n### URL Normalization \n\nURLs will be normalized automatically using the following criteria:\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"URL Normalization\",\n    \"0-0\": \"Protocol Schema (the protocol should be stripped)\",\n    \"0-1\": \"hxxp://xyz.com/test →  xyz.com/test\",\n    \"1-0\": \"Username:Password (should be stripped)\",\n    \"1-1\": \"user:pass:::at:::xyz.com → xyz.com\",\n    \"2-0\": \"Ports (should be stripped)\",\n    \"3-0\": \"Trailing slashes (stripped from the end of the URL)\",\n    \"2-1\": \"xyz.com:8080/abc → xyz.com/abc\",\n    \"3-1\": \"xyz.com/abc/ → xyz.com/abc\",\n    \"4-0\": \"Character case (normalized to all lower case)\",\n    \"4-1\": \"XYZ.cOm/abC → xyz.com/abc\"\n  },\n  \"cols\": 2,\n  \"rows\": 5\n}\n[/block]\n## Examples\n\nThe examples below show a single URL and provide examples of what you can and cannot enter to have a block of that URL enforced. The list of URL is built-out from a single example, modifying a single parameter to show whether the URL \"//a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes\" would be blocked based on the URL entered in the table below.\n\nIn all of these examples, the protocol is stripped as it would be by the interface.\n \nIf you wanted to block this URL *a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes* the following logic applies:\n\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"URL\",\n    \"h-1\": \"Will be blocked?\",\n    \"h-2\": \"Reason\",\n    \"0-0\": \"a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes\",\n    \"0-1\": \"Yes\",\n    \"0-2\": \"The full URL is entered.\",\n    \"1-0\": \"a.co/cx/15195/100/setup_1848x19m.exe?super=bad&test=yes&z=z\",\n    \"1-2\": \"\\\"&\\\" is a delimiter; therefore, it's added as another level to the URL after the word \\\"yes\\\".\",\n    \"1-1\": \"Yes\",\n    \"2-0\": \"a.co/cx/15195/100/setup_1848x19m.exe?super=bad&test=yes\",\n    \"2-1\": \"No\",\n    \"2-2\": \"\\\"?\\\" is a delimiter so the URL still would begin at the \\\"yes\\\" and any enforcement would happen after that.\",\n    \"3-2\": \"Given the\\\"?\\\", it still means only characters after \\\"yes\\\" will be enforced; therefore, a direct download of this file would be allowed.\",\n    \"3-0\": \"a.co/cx/15195/100/setup_1848x19m.exe?\",\n    \"4-0\": \"a.co/cx/15195/100/setup_1848x19m.exe\",\n    \"4-2\": \"We will still only block any paths after \\\"yes\\\"; therefore, a direct download of this file would be allowed.\",\n    \"3-1\": \"No\",\n    \"4-1\": \"No \"\n  },\n  \"cols\": 3,\n  \"rows\": 5\n}\n[/block]\nIf you wanted to block this URL *g.com/a/d* , the following logic applies.  \n\nThese are just examples of which destination list entries would block the URL \"g.com/a/d\" and which would not.\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"URL\",\n    \"h-1\": \"Will be blocked?\",\n    \"h-2\": \"Reason\",\n    \"0-0\": \"g.com/a/d\",\n    \"0-1\": \"Yes\",\n    \"0-2\": \"The full URL is entered.\",\n    \"1-0\": \"g.com/a/d?g\",\n    \"1-1\": \"Yes\",\n    \"1-2\": \"Delimits the path with the query \\\"g\\\" but still just a delimiter thus this will be enforced.\",\n    \"2-0\": \"g.com/a/d?\",\n    \"2-1\": \"Yes\",\n    \"2-2\": \"URL + the \\\"?\\\" delimiter.\",\n    \"3-0\": \"g.com/a/\",\n    \"3-1\": \"No\",\n    \"3-2\": \"The URL ends with \\\"/d\\\" so anything before \\\"/d\\\" would not be enforced.\",\n    \"4-0\": \"g.com/a/?a\",\n    \"4-1\": \"No\",\n    \"4-2\": \"The URL ends with \\\"/d\\\" so anything before \\\"/d\\\" would not be enforced.\"\n  },\n  \"cols\": 3,\n  \"rows\": 5\n}\n[/block]\nIf you wanted to block this URL *d.co/cx/15195/100* , the following applies.  These are just examples of which destination list entries would block the URL \"d.co/cx/15195/100\" and which would not.\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"URL\",\n    \"h-1\": \"Enforced\",\n    \"h-2\": \"Reason\",\n    \"0-0\": \"d.co/cx/15195/100\",\n    \"0-1\": \"Yes\",\n    \"0-2\": \"The full URL is entered.\",\n    \"1-0\": \"d.co/cx/15195/100/?\",\n    \"1-1\": \"Yes\",\n    \"1-2\": \"Everything after the delimited \\\"/\\\" after 100 would be blocked.\",\n    \"2-0\": \"d.co/cx/15195/100/\",\n    \"2-1\": \"Yes\",\n    \"3-0\": \"d.co/cx/15195/100\",\n    \"3-1\": \"Yes\",\n    \"2-2\": \"Everything after the delimited \\\"/\\\" after 100 would be blocked.\",\n    \"4-0\": \"d.co/cx/15195/10\",\n    \"4-1\": \"No\",\n    \"4-2\": \"The delimiter is only for paths after the \\\"/\\\" so any changes to the final path of /100/ would be ignored.\",\n    \"5-0\": \"d.co/cx/15195/1000\",\n    \"5-1\": \"No\",\n    \"6-0\": \"d.co/cx/15195/\",\n    \"6-1\": \"No\",\n    \"7-0\": \"d.co/cx/15195\",\n    \"7-1\": \"No\",\n    \"5-2\": \"The delimiter is only for paths after the \\\"/\\\" so any changes to the final path of /100/ would be ignored.\",\n    \"6-2\": \"The delimiter is only for paths after the \\\"/\\\" so any changes to the final path of /100/ would be ignored.\",\n    \"7-2\": \"The delimiter is only for paths after the \\\"/\\\" so any changes to the final path of /100/ would be ignored.\",\n    \"3-2\": \"Everything after the delimiting \\\"/\\\" after 100 would be blocked.\"\n  },\n  \"cols\": 3,\n  \"rows\": 8\n}\n[/block]\n### Further Information\n \nThere are some other normalization rules that we don't expect many customers to come across. If you find that a URL you entered is not being properly filtered on and you made sure all the above criteria are met, you may want to look at the URL Normalization RFC for more information.\n\nhttps://tools.ietf.org/html/rfc3986\n\n##  Getting Help\nIf you encounter any issues with the custom URL feature, please log a case with Customer Support at: [umbrella-support@cisco.com](mailto:umbrella-support@cisco.com)\n \nYou may want to include the output of the following commands (these commands should be run from a device enrolled in the policy configured for custom URL blocking):\n\n**OS X:**\n_dig proxy.opendnstest.com_\n_dig debug.opendns.com txt_\n\n**Windows**\n_nslookup proxy.opendnstest.com_\n_nslookup -type=txt debug.opendns.com_\n\nYou can also include the output of the Umbrella diagnostic to speed up the troubleshooting.\n\n\n***\n [Enable File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection/) < **Enable URLs to be Blocked in Your Destination Lists** > [Cisco Certificate Import Information](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/)","excerpt":"","slug":"custom-url-destination-list-how-to","type":"basic","title":"Enable URLs to be Blocked in Your Destination Lists"}

Enable URLs to be Blocked in Your Destination Lists


## Overview Custom URL Destination lists allow Umbrella to extend a domain level destination list to encompass full URLs. In turn, this allows you to block or allow certain parts of a website based specifically on the full URL of that portion of the website. #### Feature release timing and Umbrella packages The custom URL destination feature is only available for customers with the Umbrella Insights or Umbrella Platform packages. [Click here to read more about packages](https://umbrella.cisco.com/products/packages) and contact your Cisco account representative with any questions. This functionality is being slowly rolled out to individual customers over an extended period of time. Our engineering and networking teams are scaling the service out organically and on-boarding customers slowly to this feature to ensure reliable service as we grow. As a result, you may not see the feature in your dashboard even if you have the package available. The feature will become available to you over the upcoming weeks. ## Adding a URL To block a URL, simply enter it into a blocked destination list, or create a new blocked destination list just for URLs. To do this, navigate to **Policies > Destination Lists**, expand a Destination list, add a URL and then click **Save.** In order for this to work as expected you must adhere to the requirements listed in the sections below. [block:image] { "images": [ { "image": [ "https://files.readme.io/030660c-new_custom_URL.jpg", "new_custom_URL.jpg", 945, 653, "#dfe2e5" ], "sizing": "80" } ] } [/block] ## Implementing Destination Lists with URLs to be blocked. In order for the Umbrella infrastructure to inspect a URL to determine if it matches the ones defined in your blocked destination list, **you must have the following enabled:** * The intelligent proxy functionality and SSL decryption must be enabled as a part of the policy. For more information, see [Step 3: Pick What You Want This Policy To Do](https://docs.umbrella.com/product/umbrella/customize-your-policies-1/#section-step-3-pick-what-you-want-this-policy-to-do-). * The Cisco Umbrella Root CA must be installed on the computer(s) using this policy—ensures HTTPS connections are filtered, too. For more information, see [Cisco Certificate Import Information](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/). * It’s important to specify a URL correctly so that what’s in your policy matches what the user is trying to access (and is subsequently blocked). For more information on what URLs you can or can’t use, please read on further. The reason that SSL decryption and the certificate are required is two fold. First, the certificate is required in order to prevent problems when accessing SSL sites through the intelligent proxy and for SSL decryption to work. Second, the custom URL destination list is protocol agnostic. We don't expect that it's possible to know which protocol a website will use in advance and adding a protocol in front of a URL is not required when defining a destination list. Instead, with the SSL decryption enabled, we're able to block a URL whether it's HTTP or HTTPS and minimize the difficulty of creating a destination list on your end. ### URL Normalization for Destination Lists Umbrella URL Filtering conforms to URL Normalization standards. There are certain guidelines that must be followed in order to ensure the URL you are entering is actually what you want blocked or allowed. These can sometimes mean that the way a URL is displayed in the browser's address bar is not how it should be specified in a destination list. This is not done automatically. You must format the URL following the guidelines below in order for it to be blocked as expected. For guidelines, (read further down in this section.)[https://docs.umbrella.com/product/umbrella/custom-url-destination-list-how-to/#section-url-normalization] For a list of errors generated by incorrect URL addition or other reasons, see [Understanding Destination list error messages for custom block URLs](https://support.umbrella.com/hc/en-us/articles/115006964927-Understanding-Custom-URL-Error-Messages). ### Troubleshooting if a URL is not blocked If you do not see the block page when navigating to a URL you expect to be blocked, ensure that the policy with destination list enabled is higher in the policy order than other policies the enrolled identity(ies) are configured for. Wait upwards to five minutes before testing again after any policy changes to ensure enough time has passed for the changes to be replicated throughout the Umbrella infrastructure. If problems persist, try clearing the local browser cache on your machine, or even your machine's DNS cache (a reboot will accomplish this). Beyond that, check to see if you have a local (on-premise) proxy that is interfering. For more information, [read this](https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy). And be sure to that the Cisco Umbrella Root CA is installed in case of cert errors. For more information, [read this](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/). It's worth checking the reports and ensuring your URL is correctly normalized. The next two sections will cover this. ### Reporting for blocked URLs A URL is something you can filter against in the Activity Search in the upper righthand corner: [block:image] { "images": [ { "image": [ "https://files.readme.io/568769f-reporting-screenshot.png", "reporting-screenshot.png", 304, 176, "#eeeeee" ], "sizing": "original" } ] } [/block] Once you've filtered for URLs, then just add another filter to show the custom block URLs that belong to your destination lists: [block:image] { "images": [ { "image": [ "https://files.readme.io/2c356a3-Screen_Shot_2017-06-27_at_3.53.35_PM.png", "Screen Shot 2017-06-27 at 3.53.35 PM.png", 2542, 504, "#f3f3f3" ] } ] } [/block] ### URL Normalization URLs will be normalized automatically using the following criteria: [block:parameters] { "data": { "h-0": "URL Normalization", "0-0": "Protocol Schema (the protocol should be stripped)", "0-1": "hxxp://xyz.com/test → xyz.com/test", "1-0": "Username:Password (should be stripped)", "1-1": "user:pass@xyz.com → xyz.com", "2-0": "Ports (should be stripped)", "3-0": "Trailing slashes (stripped from the end of the URL)", "2-1": "xyz.com:8080/abc → xyz.com/abc", "3-1": "xyz.com/abc/ → xyz.com/abc", "4-0": "Character case (normalized to all lower case)", "4-1": "XYZ.cOm/abC → xyz.com/abc" }, "cols": 2, "rows": 5 } [/block] ## Examples The examples below show a single URL and provide examples of what you can and cannot enter to have a block of that URL enforced. The list of URL is built-out from a single example, modifying a single parameter to show whether the URL "//a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes" would be blocked based on the URL entered in the table below. In all of these examples, the protocol is stripped as it would be by the interface. If you wanted to block this URL *a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes* the following logic applies: [block:parameters] { "data": { "h-0": "URL", "h-1": "Will be blocked?", "h-2": "Reason", "0-0": "a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes", "0-1": "Yes", "0-2": "The full URL is entered.", "1-0": "a.co/cx/15195/100/setup_1848x19m.exe?super=bad&test=yes&z=z", "1-2": "\"&\" is a delimiter; therefore, it's added as another level to the URL after the word \"yes\".", "1-1": "Yes", "2-0": "a.co/cx/15195/100/setup_1848x19m.exe?super=bad&test=yes", "2-1": "No", "2-2": "\"?\" is a delimiter so the URL still would begin at the \"yes\" and any enforcement would happen after that.", "3-2": "Given the\"?\", it still means only characters after \"yes\" will be enforced; therefore, a direct download of this file would be allowed.", "3-0": "a.co/cx/15195/100/setup_1848x19m.exe?", "4-0": "a.co/cx/15195/100/setup_1848x19m.exe", "4-2": "We will still only block any paths after \"yes\"; therefore, a direct download of this file would be allowed.", "3-1": "No", "4-1": "No " }, "cols": 3, "rows": 5 } [/block] If you wanted to block this URL *g.com/a/d* , the following logic applies. These are just examples of which destination list entries would block the URL "g.com/a/d" and which would not. [block:parameters] { "data": { "h-0": "URL", "h-1": "Will be blocked?", "h-2": "Reason", "0-0": "g.com/a/d", "0-1": "Yes", "0-2": "The full URL is entered.", "1-0": "g.com/a/d?g", "1-1": "Yes", "1-2": "Delimits the path with the query \"g\" but still just a delimiter thus this will be enforced.", "2-0": "g.com/a/d?", "2-1": "Yes", "2-2": "URL + the \"?\" delimiter.", "3-0": "g.com/a/", "3-1": "No", "3-2": "The URL ends with \"/d\" so anything before \"/d\" would not be enforced.", "4-0": "g.com/a/?a", "4-1": "No", "4-2": "The URL ends with \"/d\" so anything before \"/d\" would not be enforced." }, "cols": 3, "rows": 5 } [/block] If you wanted to block this URL *d.co/cx/15195/100* , the following applies. These are just examples of which destination list entries would block the URL "d.co/cx/15195/100" and which would not. [block:parameters] { "data": { "h-0": "URL", "h-1": "Enforced", "h-2": "Reason", "0-0": "d.co/cx/15195/100", "0-1": "Yes", "0-2": "The full URL is entered.", "1-0": "d.co/cx/15195/100/?", "1-1": "Yes", "1-2": "Everything after the delimited \"/\" after 100 would be blocked.", "2-0": "d.co/cx/15195/100/", "2-1": "Yes", "3-0": "d.co/cx/15195/100", "3-1": "Yes", "2-2": "Everything after the delimited \"/\" after 100 would be blocked.", "4-0": "d.co/cx/15195/10", "4-1": "No", "4-2": "The delimiter is only for paths after the \"/\" so any changes to the final path of /100/ would be ignored.", "5-0": "d.co/cx/15195/1000", "5-1": "No", "6-0": "d.co/cx/15195/", "6-1": "No", "7-0": "d.co/cx/15195", "7-1": "No", "5-2": "The delimiter is only for paths after the \"/\" so any changes to the final path of /100/ would be ignored.", "6-2": "The delimiter is only for paths after the \"/\" so any changes to the final path of /100/ would be ignored.", "7-2": "The delimiter is only for paths after the \"/\" so any changes to the final path of /100/ would be ignored.", "3-2": "Everything after the delimiting \"/\" after 100 would be blocked." }, "cols": 3, "rows": 8 } [/block] ### Further Information There are some other normalization rules that we don't expect many customers to come across. If you find that a URL you entered is not being properly filtered on and you made sure all the above criteria are met, you may want to look at the URL Normalization RFC for more information. https://tools.ietf.org/html/rfc3986 ## Getting Help If you encounter any issues with the custom URL feature, please log a case with Customer Support at: [umbrella-support@cisco.com](mailto:umbrella-support@cisco.com) You may want to include the output of the following commands (these commands should be run from a device enrolled in the policy configured for custom URL blocking): **OS X:** _dig proxy.opendnstest.com_ _dig debug.opendns.com txt_ **Windows** _nslookup proxy.opendnstest.com_ _nslookup -type=txt debug.opendns.com_ You can also include the output of the Umbrella diagnostic to speed up the troubleshooting. *** [Enable File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection/) < **Enable URLs to be Blocked in Your Destination Lists** > [Cisco Certificate Import Information](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/)