Endpoint Protection

I know that one can block via specific port, for example, you want to prevent a user going to etrade (just popped into my head for some reason) and this is how you'd do it:
rule tcp, dest=(80), msg="etrade Website",content="etrade.com"

But what if the thing you want to block starts out HTTP then moves to https, say sort of like paypal and other secure sites do. Does that require a new rule with that 443 port, or can one put them both in the same rule? Like this:
rule tcp, dest=(80,443), msg="etrade Website",content="etrade.com"

And if the above is correct, is there a space between the ports along with the ,  or is it just the , then the next number like 80,443
Or is it 80, 443 ?

Can a person block that using any/all ports using a wildcard?? Such as:
rule tcp, dest=(*), msg="etrade Website",content="etrade.com"

Will that work???

Please, although I appreciate the help, no guesses - I'd prefer if you gave a real-life experience and example. I learn by seeing, and by example. If you say "I think it might" then that isn't really the next step. No offense, but as you know already, IT folks have little room to experiment, the bosses want results.  ;-) and thanks.

dest=(80,443),

Is the correct Syntax for adding more than one port

Ref:https://www-secure.symantec.com/connect/sites/default/files/Steps_to_create_a_custom_IDS_signature_0.pdf

dest operator (value)

where value is an unsigned 16-bit number from 0 to 65535.

For example:

dest=(120,125)

value must be enclosed in parentheses. A value of 0 (zero) indicates all ports.

A range of ports can be specified by using a dash between two port values (for example 3-5 is ports 3, 4, and 5). Multiple ports can be specified by separating them with commas.

Aha, so I am doing it correctly, except I need to use 0 to indicate all ports, and not a *. Good thing I didn't try the * as I know SEP hates errors.

Thanks. That's perfect.