In past versions, "*.okta.com" would have matched hacker.org/fake.okta.com. This bit me pretty badly when trying to move from another web filtering box to Check Point's URL Filtering. We blocked *.ar, and it caught some site's /path/to/shared/resources/16x16.left.arrow.png or whatever the path was. I haven't tried using non-regular expressions since R80.20, so it may have changed in a more recent version.
I ended up having to anchor to the slash:
That matches any number of subdomains (including zero subdomains) then anchors the TLD to the slash which separates the domain name from the path in a URL.