Where Policies Apply – Matching Rules

Matching rules define where a policy applies. Rules can match based on hostnames (domains) or URLs, using different matching operations like exact match, contains, prefix, or suffix.

Matching Targets

• Hostname: Matches the domain part of a URL (e.g., example.com, mail.google.com)
• URL: Matches the full URL including path and query string (e.g., https://example.com/admin/login)

Matching Operations

Operation	Description	Example Pattern	Matches
Equals	Exact match (for hostnames, subdomain expansion applies)	google.com	google.com, mail.google.com (with subdomain matching)
Contains	Pattern appears anywhere in the value	facebook	facebook.com, m.facebook.com, facebook.net
Prefix	Value starts with the pattern	mail.	mail.google.com, mail.yahoo.com
Suffix	Value ends with the pattern	.edu	stanford.edu, mit.edu, cs.stanford.edu

Use the rule set preview to confirm alignment with your tenant's recent traffic. The preview lists domains seen in the last 30 days and shows which of them your rules would match, including any tenant-specific includes or excludes.

Tip: To apply a policy everywhere, add a wildcard * to the Include list.

Use the overview to scan existing rule sets, confirm their intent, and decide whether you can reuse a set or need a new one. Each rule set can be attached to multiple policies, so favor reuse where possible.

The preview is history-based: it does not test arbitrary domains. Domains that users haven't visited recently will not appear even if they would match the rules in the future.

URL Matching

URL matching allows you to create rules that match specific paths or file types. This is useful when you want to:

• Block access to admin panels: URL contains /admin/
• Match specific file downloads: URL suffix .pdf or .exe
• Target specific API endpoints: URL prefix https://api.

Note: URL matching requires the browser extension to send the full URL to the check_site endpoint. Older extensions may only send the hostname.