管理租户允许/阻止列表Manage the Tenant Allow/Block List

重要

改进的 Microsoft 365 安全中心现已提供公共预览版。The improved Microsoft 365 security center is now available in public preview. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new. 本主题可能同时适用于 Microsoft Defender for Office 365 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. 请参阅 适用对象 部分,并查找本文中可能存在差异的特定标注。Refer to the Applies To section and look for specific call-outs in this article where there might be differences.

适用对象Applies to

备注

目前,你 无法 配置租户允许/阻止列表中的允许项。You can't configure allowed items in the Tenant Allow/Block List at this time.

在具有 Exchange Online 邮箱或独立 Exchange Online Protection (EOP) (没有 Exchange Online 邮箱)的 Microsoft 365 组织中,您可能对 EOP 筛选裁定有意见不一致。In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP filtering verdict. 例如,一条好邮件可能标记为 (误报) ,或者可能允许错误消息通过 (漏报) 。For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).

安全与合规中心中的租户允许/阻止&提供了一种手动替代 Microsoft 365 筛选裁定的方法。The Tenant Allow/Block List in the Security & Compliance Center gives you a way to manually override the Microsoft 365 filtering verdicts. 租户允许/阻止列表在邮件流期间和用户单击时使用。The Tenant Allow/Block List is used during mail flow and at the time of user clicks. 您可以指定要始终阻止的 URL 或文件。You can specify URLs or files to always block.

本文介绍如何在安全与合规中心或 PowerShell & (Exchange Online PowerShell 中为在 Exchange Online 中拥有邮箱的 Microsoft 365 组织配置租户允许/阻止列表中的条目;适用于没有 Exchange Online 邮箱的组织的独立 EOP PowerShell) 。This article describes how to configure entries in the Tenant Allow/Block List in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

开始前,有必要了解什么?What do you need to know before you begin?

  • 安全与合规中心的打开网址为 https://protection.office.com/You open the Security & Compliance Center at https://protection.office.com/. 若要直接转到租户 允许/阻止列表 页面,请使用 https://protection.office.com/tenantAllowBlockListTo go directly to the Tenant Allow/Block List page, use https://protection.office.com/tenantAllowBlockList.

  • 使用文件的 SHA256 哈希值指定文件。You specify files by using the SHA256 hash value of the file. 若要在 Windows 中查找文件的 SHA256 哈希值,在命令提示符中运行以下命令:To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt:

    certutil.exe -hashfile "<Path>\<Filename>" SHA256
    

    示例值为 768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3aAn example value is 768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a. 不支持感知哈希 (pHash) 值。Perceptual hash (pHash) values are not supported.

  • 本文稍后的租户允许/阻止列表一节的 URL 语法中介绍了可用的 URL 值。The available URL values are described in the URL syntax for the Tenant Allow/Block List section later in this article.

  • 租户允许/阻止列表允许最多 500 个 URL 条目和 500 个文件哈希条目。The Tenant Allow/Block List allows a maximum of 500 entries for URLs, and 500 entries for file hashes.

  • 每个条目的最大字符数为:The maximum number of characters for each entry is:

    • 文件哈希 = 64File hashes = 64
    • URL = 250URL = 250
  • 条目应在 30 分钟内处于活动状态。An entry should be active within 30 minutes.

  • 默认情况下,租户允许/阻止列表中的条目将在 30 天后过期。By default, entries in the Tenant Allow/Block List will expire after 30 days. 可以指定日期或将其设置为永不过期。You can specify a date or set them to never expire.

  • 若要连接到 Exchange Online PowerShell,请参阅连接到 Exchange Online PowerShellTo connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. 若要连接到独立 EOP PowerShell,请参阅连接到 Exchange Online Protection PowerShellTo connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.

  • 在 Exchange Online 网站中 分配 权限,才能执行本文中的步骤:You need to be assigned permissions in Exchange Online before you can do the procedures in this article:

    • 若要在租户允许/阻止列表中添加和删除值,你需要是组织管理或安全 管理员角色****组 的成员。To add and remove values from the Tenant Allow/Block List, you need to be a member of the Organization Management or Security Administrator role groups.
    • 若要对租户允许/阻止列表进行只读访问,你需要是全局读取 或安全读者 角色组的成员For read-only access to the Tenant Allow/Block List, you need to be a member of the Global Reader or Security Reader role groups.

    有关详细信息,请参阅 Exchange Online 中权限For more information, see Permissions in Exchange Online.

    备注

    • 在 Microsoft 365 管理中心将用户添加到相应的 Azure Active Directory 角色后,将为用户提供所需的权限 Microsoft 365 中其他功能的所需权限。Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365. 有关详细信息,请参阅 关于管理员角色For more information, see About admin roles.
    • Exchange Online 中的 仅查看组织管理人员 角色组也提供到该功能的只读访问。The View-Only Organization Management role group in Exchange Online also gives read-only access to the feature.

使用安全&中心在租户允许/阻止列表中创建 URL 条目Use the Security & Compliance Center to create URL entries in the Tenant Allow/Block List

有关 URL 条目的语法的详细信息,请参阅本文稍后介绍的租户 允许/阻止列表的 URL 语法部分。For details about the syntax for URL entries, see the URL syntax for the Tenant Allow/Block List section later in this article.

  1. 在安全与&中心,转到威胁 管理 > 策略 > 租户允许/阻止列表In the Security & Compliance Center, go to Threat management > Policy > Tenant Allow/Block Lists.

  2. 在" 租户允许/阻止列表 "页上,验证 "URL" 选项卡是否被选中,然后单击"阻止 "On the Tenant Allow/Block List page, verify that the URLs tab is selected, and then click Block

  3. 出现的"阻止 URL" 飞出中,配置以下设置:In the Block URLs flyout that appears, configure the following settings:

    • 添加要阻止的 URL: 每行输入一个 URL,最多输入 20 个。Add URLs to block: Enter one URL per line, up to a maximum of 20.

    • 永不过期:执行下列步骤之一:Never expire: Do one of the following steps:

      • 验证是否关闭该设置 (关闭) 并使用"过期时间"框指定条目  的到期日期。 Verify the setting is turned off (Toggle off) and use the Expires on box to specify the expiration date for the entries.

        or

      • 将开关移到右侧,将条目配置为永不过期:Move the toggle to the right to configure the entries to never expire: 切换开关打开..

    • 可选说明:输入条目的描述性文本。Optional note: Enter descriptive text for the entries.

  4. 完成后,单击“添加”。When you're finished, click Add.

使用安全&中心在租户允许/阻止列表中创建文件条目Use the Security & Compliance Center to create file entries in the Tenant Allow/Block List

  1. 在安全与&中心,转到威胁 管理 > 策略 > 租户允许/阻止列表In the Security & Compliance Center, go to Threat management > Policy > Tenant Allow/Block Lists.

  2. 在"租户允许/阻止列表"页上,选择"文件" 选项卡,然后单击"阻止 "。On the Tenant Allow/Block List page, select Files tab, and then click Block.

  3. "添加文件以阻止 出现的飞出"中,配置以下设置:In the Add files to block flyout that appears, configure the following settings:

    • 添加文件哈希:每行输入一个 SHA256 哈希值,最多 20 个。Add file hashes: Enter one SHA256 hash value per line, up to a maximum of 20.

    • 永不过期:执行下列步骤之一:Never expire: Do one of the following steps:

      • 验证是否关闭该设置 (关闭) 并使用"过期时间"框指定条目  的到期日期。 Verify the setting is turned off (Toggle off) and use the Expires on box to specify the expiration date for the entries.

      or

      • 将开关移到右侧,将条目配置为永不过期:Move the toggle to the right to configure the entries to never expire: 切换开关打开..
    • 可选说明:输入条目的描述性文本。Optional note: Enter descriptive text for the entries.

  4. 完成后,单击“添加”。When you're finished, click Add.

使用安全&中心查看租户允许/阻止列表中的条目Use the Security & Compliance Center to view entries in the Tenant Allow/Block List

  1. 在安全与&中心,转到威胁 管理 > 策略 > 租户允许/阻止列表In the Security & Compliance Center, go to Threat management > Policy > Tenant Allow/Block Lists.

  2. 选择 "URL" 选项卡或" 文件" 选项卡。Select the URLs tab or the Files tab.

单击以下列标题以按升序或降序排序:Click on the following column headings to sort in ascending or descending order:

  • :URL 或文件哈希。Value: The URL or the file hash.
  • 上次更新日期Last updated date
  • 到期日期Expiration date
  • 注意Note

单击 "搜索",输入值的全部或一部分,然后按 Enter 查找特定值。Click Search, enter all or part of a value, and then press ENTER to find a specific value. 完成后,单击"清除搜索 ""  清除搜索图标 "。When you're finished, click Clear search Clear search icon.

单击"筛选器"。Click Filter. 在出现的 " 筛选器"飞出中,配置以下任一设置:In the Filter flyout that appears, configure any of the following settings:

  • 永不过期:选择关闭:  关闭 或打开:  打开切换 Never expire: Select off: Toggle off or on: Toggle on.

  • Last updated: Select a start date (From) , an end date (To) both.Last updated: Select a start date (From), an end date (To) or both.

  • 到期日期: 选择开始日期 (From) ,结束日期 () 两者。Expiration date: Select a start date (From), an end date (To) or both.

完成后,单击"应用 "。When you're finished, click Apply.

若要清除现有筛选器,请单击 "筛选器", 在出现的"筛选器"飞出中,单击"清除 筛选器"。To clear existing filters, click Filter, and in the Filter flyout that appears, click Clear filters.

使用安全&中心修改租户允许/阻止列表中的阻止条目Use the Security & Compliance Center to modify block entries in the Tenant Allow/Block List

不能修改条目中的现有阻止 URL 或文件值。You can't modify the existing blocked URL or file values within an entry. 若要修改这些值,需要删除并重新创建条目。To modify these values, you need to delete and recreate the entry.

  1. 在安全与&中心,转到威胁 管理 > 策略 > 租户允许/阻止列表In the Security & Compliance Center, go to Threat management > Policy > Tenant Allow/Block Lists.

  2. 选择 "URL" 选项卡或" 文件" 选项卡。Select the URLs tab or the Files tab.

  3. 选择要修改的阻止条目,然后单击"编辑 编辑"  图标 Select the block entry that you want to modify, and then click Edit Edit icon.

  4. 在出现的"飞出"中,配置以下设置:In the flyout that appears, configure the following settings:

    • 永不过期:执行下列步骤之一:Never expire: Do one of the following steps:

      • 验证是否关闭该设置 (关闭) 并使用"过期  时间" 框指定条目的到期日期。Verify the setting is turned off (Toggle off) and use the Expires on box to specify the expiration date for the entry.

        or

      • 将开关移到右侧,将条目配置为永不过期:Move the toggle to the right to configure the entry to never expire: 切换开关打开..

    • 可选说明:输入条目的描述性文本。Optional note: Enter descriptive text for the entry.

  5. 完成后,单击“保存”。When you're finished, click Save.

使用安全&中心从租户允许/阻止列表中删除阻止条目Use the Security & Compliance Center to remove block entries from the Tenant Allow/Block List

  1. 在安全与&中心,转到威胁 管理 > 策略 > 租户允许/阻止列表In the Security & Compliance Center, go to Threat management > Policy > Tenant Allow/Block Lists.

  2. 选择 "URL" 选项卡或" 文件" 选项卡。Select the URLs tab or the Files tab.

  3. 选择要删除的阻止条目,然后单击"删除 删除"  图标 Select the block entry that you want to remove, and then click Delete Delete icon.

  4. 在出现的警告对话框中,单击"删除 "。In the warning dialog that appears, click Delete.

使用 Exchange Online PowerShell 或独立 EOP PowerShell 配置租户允许/阻止列表Use Exchange Online PowerShell or standalone EOP PowerShell to configure the Tenant Allow/Block List

使用 PowerShell 将阻止条目添加到租户允许/阻止列表Use PowerShell to add block entries to the Tenant Allow/Block List

若要在租户允许/阻止列表中添加阻止条目,请使用以下语法:To add block entries in the Tenant Allow/Block List, use the following syntax:

New-TenantAllowBlockListItems -ListType <Url | FileHash> -Block -Entries <String[]> [-ExpirationDate <DateTime>] [-NoExpiration] [-Notes <String>]

此示例为 contoso.com 及其所有子域(例如, (、contoso.com、www.contoso.com 和 xyz.abc.contoso.com) )添加一个阻止 URL 条目。This example adds a block URL entry for contoso.com and all subdomains (for example, contoso.com, www.contoso.com, and xyz.abc.contoso.com). 由于我们没有使用 ExpirationDate 或 NoExpiration 参数,因此条目将在 30 天后过期。Because we didn't use the ExpirationDate or NoExpiration parameters, the entry expires after 30 days.

New-TenantAllowBlockListItems -ListType Url -Block -Entries ~contoso.com

本示例为永不过期的指定文件添加阻止文件条目。This example adds a block file entry for the specified files that never expires.

New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration

有关语法和参数的详细信息,请参阅 New-TenantAllowBlockListItemsFor detailed syntax and parameter information, see New-TenantAllowBlockListItems.

使用 PowerShell 查看租户允许/阻止列表中的条目Use PowerShell to view entries in the Tenant Allow/Block List

若要查看租户允许/阻止列表中的条目,请使用以下语法:To view entries in the Tenant Allow/Block List, use the following syntax:

Get-TenantAllowBlockListItems -ListType <Url | FileHash> [-Entry <URLValue | FileHashValue>] [-Block] [-ExpirationDate <DateTime>] [-NoExpiration]

此示例返回所有阻止的 URL。This example returns all blocked URLs.

Get-TenantAllowBlockListItems -ListType Url -Block

此示例返回指定文件哈希值的信息。This example returns information for the specified file hash value.

Get-TenantAllowBlockListItems -ListType FileHash -Entry "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"

有关语法和参数的详细信息,请参阅 Get-TenantAllowBlockListItemsFor detailed syntax and parameter information, see Get-TenantAllowBlockListItems.

使用 PowerShell 修改租户允许/阻止列表中的阻止条目Use PowerShell to modify block entries in the Tenant Allow/Block List

不能修改阻止条目中的现有 URL 或文件值。You can't modify the existing URL or file values within a block entry. 若要修改这些值,需要删除并重新创建条目。To modify these values, you need to delete and recreate the entry.

若要修改租户允许/阻止列表中的阻止条目,请使用以下语法:To modify block entries in the Tenant Allow/Block List, use the following syntax:

Set-TenantAllowBlockListItems -ListType <Url | FileHash> -Ids <"Id1","Id2",..."IdN"> [-Block] [-ExpirationDate <DateTime>] [-NoExpiration] [-Notes <String>]

本示例更改指定阻止条目的到期日期。This example changes the expiration date of the specified block entry.

Set-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -ExpirationDate (Get-Date "5/30/2020 9:30 AM").ToUniversalTime()

有关语法和参数的详细信息,请参阅 Set-TenantAllowBlockListItemsFor detailed syntax and parameter information, see Set-TenantAllowBlockListItems.

使用 PowerShell 从租户允许/阻止列表中删除阻止条目Use PowerShell to remove block entries from the Tenant Allow/Block List

若要从租户允许/阻止列表中删除阻止条目,请使用以下语法:To remove block entries from the Tenant Allow/Block List, use the following syntax:

Remove-TenantAllowBlockListItems -ListType <Url | FileHash> -Ids <"Id1","Id2",..."IdN">

此示例从租户允许/阻止列表中删除指定的阻止 URL 条目。This example removes the specified block URL entry from the Tenant Allow/Block List.

Remove-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSPAAAA0"

有关语法和参数的详细信息,请参阅 Remove-TenantAllowBlockListItemsFor detailed syntax and parameter information, see Remove-TenantAllowBlockListItems.

租户允许/阻止列表的 URL 语法URL syntax for the Tenant Allow/Block List

  • 允许 IP4v 和 IPv6 地址,但不允许 TCP/UDP 端口。IP4v and IPv6 addresses are allowed, but TCP/UDP ports are not.

  • 例如,不允许使用文件名 (,例如test.pdf) 。Filename extensions are not allowed (for example, test.pdf).

  • 不支持 Unicode,但 Punycode 支持。Unicode is not supported, but Punycode is.

  • 如果下列所有语句都为 true,则允许使用主机名:Hostnames are allowed if all of the following statements are true:

    • 主机名包含一个时间段。The hostname contains a period.
    • 在周期的左侧至少有一个字符。There is at least one character to the left of the period.
    • 此期间右侧至少有两个字符。There are at least two characters to the right of the period.

    例如, t.co 是允许的 .com ; contoso. 或者是不允许的。For example, t.co is allowed; .com or contoso. are not allowed.

  • 不隐含子路径。Subpaths are not implied.

    例如, contoso.com 不包括 contoso.com/aFor example, contoso.com does not include contoso.com/a.

  • 在 () 允许使用通配符或*通配符:Wildcards (*) are allowed in the following scenarios:

    • 左通配符后面必须后跟一个时间段,以指定子域。A left wildcard must be followed by a period to specify a subdomain.

      例如, *.contoso.com 允许 ; *contoso.com 不允许。For example, *.contoso.com is allowed; *contoso.com is not allowed.

    • 右通配符必须按照正斜杠 (/) 指定路径。A right wildcard must follow a forward slash (/) to specify a path.

      例如, contoso.com/* 是允许的 contoso.com* ; contoso.com/ab* 或者是不允许的。For example, contoso.com/* is allowed; contoso.com* or contoso.com/ab* are not allowed.

    • 右通配符不隐含所有子路径。All subpaths are not implied by a right wildcard.

      例如, contoso.com/* 不包括 contoso.com/aFor example, contoso.com/* does not include contoso.com/a.

    • *.com* 无效 (不可解决的域,并且右通配符不遵循正斜杠) 。*.com* is invalid (not a resolvable domain and the right wildcard does not follow a forward slash).

    • IP 地址中不允许使用通配符。Wildcards are not allowed in IP addresses.

  • 在下列 (提供了) ~ 字符:The tilde (~) character is available in the following scenarios:

    • 左波浪符表示域及其所有子域。A left tilde implies a domain and all subdomains.

      例如, ~contoso.com 包括 contoso.com *.contoso.com 和 。For example ~contoso.com includes contoso.com and *.contoso.com.

  • 包含协议(如 、 ()的 URL) 将失败,因为 URL 条目 http:// https:// ftp:// 适用于所有协议。URL entries that contain protocols (for example, http://, https://, or ftp://) will fail, because URL entries apply to all protocols.

  • 不支持或不需要用户名或密码。A username or password aren't supported or required.

  • 引号 ("或") 无效字符。Quotes (' or ") are invalid characters.

  • 如果可能,URL 应包含所有重定向。A URL should include all redirects where possible.

URL 条目方案URL entry scenarios

以下各节介绍了有效的 URL 条目及其结果。Valid URL entries and their results are described in the following sections.

方案:无通配符Scenario: No wildcards

条目contoso.comEntry: contoso.com

  • 允许匹配: contoso.comAllow match: contoso.com

  • 允许不匹配Allow not matched:

    • abc-contoso.comabc-contoso.com
    • contoso.com/acontoso.com/a
    • payroll.contoso.compayroll.contoso.com
    • test.com/contoso.comtest.com/contoso.com
    • test.com/q=contoso.comtest.com/q=contoso.com
    • www.contoso.comwww.contoso.com
    • www.contoso.com/q=a@contoso.comwww.contoso.com/q=a@contoso.com
  • 阻止匹配Block match:

    • contoso.comcontoso.com
    • contoso.com/acontoso.com/a
    • payroll.contoso.compayroll.contoso.com
    • test.com/contoso.comtest.com/contoso.com
    • test.com/q=contoso.comtest.com/q=contoso.com
    • www.contoso.comwww.contoso.com
    • www.contoso.com/q=a@contoso.comwww.contoso.com/q=a@contoso.com
  • 阻止不匹配: abc-contoso.comBlock not matched: abc-contoso.com

方案:将通配符 (子域) Scenario: Left wildcard (subdomain)

条目*.contoso.comEntry: *.contoso.com

  • 允许匹配阻止匹配Allow match and Block match:

    • www.contoso.comwww.contoso.com
    • xyz.abc.contoso.comxyz.abc.contoso.com
  • 允许不匹配和****阻止不匹配Allow not matched and Block not matched:

    • 123contoso.com123contoso.com
    • contoso.comcontoso.com
    • test.com/contoso.comtest.com/contoso.com
    • www.contoso.com/abcwww.contoso.com/abc

方案:路径顶部的右通配符Scenario: Right wildcard at top of path

条目contoso.com/a/*Entry: contoso.com/a/*

  • 允许匹配阻止匹配Allow match and Block match:

    • contoso.com/a/bcontoso.com/a/b
    • contoso.com/a/b/ccontoso.com/a/b/c
    • contoso.com/a/?q=joe@t.comcontoso.com/a/?q=joe@t.com
  • 允许不匹配和****阻止不匹配Allow not matched and Block not matched:

    • contoso.comcontoso.com
    • contoso.com/acontoso.com/a
    • www.contoso.comwww.contoso.com
    • www.contoso.com/q=a@contoso.comwww.contoso.com/q=a@contoso.com

应用场景:左波浪符Scenario: Left tilde

条目~contoso.comEntry: ~contoso.com

  • 允许匹配阻止匹配Allow match and Block match:

    • contoso.comcontoso.com
    • www.contoso.comwww.contoso.com
    • xyz.abc.contoso.comxyz.abc.contoso.com
  • 允许不匹配和****阻止不匹配Allow not matched and Block not matched:

    • 123contoso.com123contoso.com
    • contoso.com/abccontoso.com/abc
    • www.contoso.com/abcwww.contoso.com/abc

应用场景:右通配符后缀Scenario: Right wildcard suffix

条目contoso.com/*Entry: contoso.com/*

  • 允许匹配阻止匹配Allow match and Block match:

    • contoso.com/?q=whatever@fabrikam.comcontoso.com/?q=whatever@fabrikam.com
    • contoso.com/acontoso.com/a
    • contoso.com/a/b/ccontoso.com/a/b/c
    • contoso.com/abcontoso.com/ab
    • contoso.com/bcontoso.com/b
    • contoso.com/b/a/ccontoso.com/b/a/c
    • contoso.com/bacontoso.com/ba
  • 允许不匹配和****阻止不匹配:contoso.comAllow not matched and Block not matched: contoso.com

应用场景:左通配符子域和右通配符后缀Scenario: Left wildcard subdomain and right wildcard suffix

条目*.contoso.com/*Entry: *.contoso.com/*

  • 允许匹配阻止匹配Allow match and Block match:

    • abc.contoso.com/ababc.contoso.com/ab
    • abc.xyz.contoso.com/a/b/cabc.xyz.contoso.com/a/b/c
    • www.contoso.com/awww.contoso.com/a
    • www.contoso.com/b/a/cwww.contoso.com/b/a/c
    • xyz.contoso.com/baxyz.contoso.com/ba
  • 允许不匹配和****阻止不匹配:contoso.com/bAllow not matched and Block not matched: contoso.com/b

应用场景:左右波浪符Scenario: Left and right tilde

条目~contoso.com~Entry: ~contoso.com~

  • 允许匹配阻止匹配Allow match and Block match:

    • contoso.comcontoso.com
    • contoso.com/acontoso.com/a
    • www.contoso.comwww.contoso.com
    • www.contoso.com/bwww.contoso.com/b
    • xyz.abc.contoso.comxyz.abc.contoso.com
  • 允许不匹配和****阻止不匹配Allow not matched and Block not matched:

    • 123contoso.com123contoso.com
    • contoso.orgcontoso.org

方案:IP 地址Scenario: IP address

条目1.2.3.4Entry: 1.2.3.4

  • 允许匹配阻止匹配:1.2.3.4Allow match and Block match: 1.2.3.4

  • 允许不匹配和****阻止不匹配Allow not matched and Block not matched:

    • 1.2.3.4/a1.2.3.4/a
    • 11.2.3.4/a11.2.3.4/a

具有右通配符的 IP 地址IP address with right wildcard

条目1.2.3.4/*Entry: 1.2.3.4/*

  • 允许匹配阻止匹配Allow match and Block match:

    • 1.2.3.4/b1.2.3.4/b
    • 1.2.3.4/baaaa1.2.3.4/baaaa

无效条目的示例Examples of invalid entries

以下条目无效:The following entries are invalid:

  • 域值缺失或无效Missing or invalid domain values:

    • contosocontoso
    • *.contoso。**.contoso.*
    • *.com*.com
    • *.pdf*.pdf
  • 文本上的通配符或不带空格字符的通配符Wildcard on text or without spacing characters:

    • *contoso.com*contoso.com
    • contoso.com*contoso.com*
    • *1.2.3.4*1.2.3.4
    • 1.2.3.4*1.2.3.4*
    • contoso.com/a*contoso.com/a*
    • contoso.com/ab*contoso.com/ab*
  • 具有端口的 IP 地址IP addresses with ports:

    • contoso.com:443contoso.com:443
    • abc.contoso.com:25abc.contoso.com:25
  • 非描述性通配符Non-descriptive wildcards:

    • *
    • *.**.*
  • 中间通配符Middle wildcards:

    • conto * so.comconto*so.com
    • conto~so.comconto~so.com
  • 双通配符Double wildcards

    • contoso.com/**contoso.com/**
    • contoso.com/*/*contoso.com/*/*