Understand Destination List Supported Entries and Error Messages
Available Languages
Introduction
This document describes what can or cannot be in a destination list as well as providing common errors and resolutions.
Note: This article refers to DNS Layer Security only. SWG lists have different support levels.
Overview
When generating a destination list, it is possible you see errors if the format of the destination is entered incorrectly.
A destination list is quite literally a list of internet destinations that can be blocked or allowed based on the administrative preferences for the policies applied to the identities within your organization.
A destination is currently defined as an IP, a fully qualified domain name or URLs.
This article briefly outlines what is or isn ot acceptable to be added to a destination list at this time and as this information changes, this article is updated.
What you can add to a destination list
- Fully qualified domains and subdomains. The protocol is not required (eg: no "http://" needs to be added in front front of the domain).
- If you wish to block all subdomains of a domain, add the top level domain name as exampledomain.com
- If you wish to only block a subdomain, add the subdomain as subdomain.exampledomain.com
- IP addresses can be added to an Allow Destination only.
What you cannot add to a destination list
- You cannot add wildcards. A wildcard is implicit in the way DNS is structured, so adding a domain covers all of the subdomains and there is no reason to add *.domain.com to cover this.
- Certainly very popular domains cannot be blocked with our custom URL feature.
- You cannot add the same destination twice in the same list.
Error Messages
The custom URL destination block lists feature enables Umbrella to extend a domain level block list to encompass full and partial URLs. In turn, this allows you to block certain portions of a website based specifically on the full or partial URL. However, there are limitations and it is possible that the configuration of your destination lists might result in error messages.
Note: The feature described in this article is currently not available for most customers and is in early release. For more information, please read: https://docs.umbrella.com/product/umbrella/custom-url-destination-list-how-to
For more information about guidelines that must be followed to ensure that the URL you are entering is actually the one you want blocked, see Custom URL Destination Normalization
| Message | Action | Notes |
|---|---|---|
| URLs in allow lists are not currently supported. Consider adding the domain only instead. | You get this error message if you add a URL to an allow list. Remove the URL and replace it with the domain for that URL. | We are considering adding custom allowed URLs in the future. Please submit a feature request if you would like to see this feature added to Umbrella. |
| Invalid Domain, Invalid URL, Invalid IP | The entry of the type entered does not match the required format. Enter the correct expected format and try again. | Double check your entry. |
| Please check to confirm that the URL was entered correctly. | There was a problem with the URL, either in the domain, path or query. Review your URL for legal characters and URL composition. Additionally, you may enter a partial URL to leverage right-side wildcarding. For more information, see Custom URL Destination List How-To. | We adhere to RFC-3986. |
| The supplied URL belongs to a domain that does not present a security concern but may impact Umbrella performance if proxied. Consider adding the domain only instead. | URL matches the high-volume domain list. Consider blocking the domain if you do not trust the destination. | High volume domains do not present a security risk themselves and do not require additional scrutiny. |
| The supplied destination matches the Umbrella global allow list and cannot be saved. | The destination matches the protected allow list. If this error is occurring on a URL, consider blocking the domain if you do not trust the destination. If you are not sure why this destination is considered protected, please contact support. | Destinations in the protected allow list either host services other than HTTP and cannot be proxied or are critical to Umbrella operations. |
|
Only ASCII characters can be used for defining URLs or invalid URLs |
The URL contains non-ASCII characters. Try percent-encoding the URL or block the domain. | The Intelligent Proxy currently does not support non-ASCII characters. Please submit a feature request if you would like non-ASCII characters supported in Umbrella. |
| There was an issue with one or more of the destinations in the uploaded list. | This is a bulk upload error message. One or more of the URLs or domains supplied in the uploaded list match one of the error conditions above. Umbrella provides you with a link to download a list of destinations that could not be uploaded. Please correct or remove the destinations from your bulk upload list and try again. |
Umbrella does not write uploaded destinations to the database unless all uploaded destinations can be accepted. |
| Invalid destination. | No action can be taken at this time. This is a generic error message. | The supplied destination cannot be accepted by Umbrella. You have encountered an error condition Umbrella cannot account for. Please log a case with support so that we can address this error condition. |
| CIDR is too large! The network mask must not be less than /8 (32 million IP addresses) which is the minimum number of bits allowed. Please enter a larger network mask. | Enter a smaller CIDR block. | /8 is too much for one list. |
| This destination already exists in a list | This indicates you are entering a destination that is already in the list. | Nothing to worry about, you have already performed the necessary action. |
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
29-Aug-2025
|
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)