topic Re: How to add Wildcard Domains as a destination for Firewall policy PA1420 in General Topics

How to add Wildcard Domains as a destination for Firewall policy PA1420

S.Alizada — Thu, 09 Apr 2026 08:40:02 GMT

Dear all,

I have blocked the Port 80 in my network so any clients try to access the internet over the port 80 should not be allowed.

But the thing is that some of the micorsoft IPs and Domains runs over the port 80.

Now I want to add a new firewall rule to my palo alto 1420 to allowlist Miscrosoft IPs and domains over the port 80 and 443, I have also attached a screenshot to this threat showcasing the list of IPs and domain name, now some domains contains wildcards which can't be added at the detination field and also can be added as Address Objects.

So do you think what is the solution to this so that I can add all those domains as destination so when traffic from my Staff VLAN is generated to those domains over the port 80 and/or 443 are allowed.

Thank you.

Best Regares,

Shah

Re: How to add Wildcard Domains as a destination for Firewall policy PA1420

kiwi — Thu, 09 Apr 2026 09:51:37 GMT

Hi @S.Alizada ,

You can't put *.microsoft.com in an Address Object, but you can add them to custom URL categories:

Create a Custom URL Category (Objects > Custom Objects > URL Category).
In this field, you CAN use wildcards.
In your Security Policy, keep the Destination as "Any" (or use the EDLs), but go to the Category tab and add your new Custom URL Category. The firewall will then allow the traffic based on the host header/SNI matching that wildcard.

I mentioned EDL and I believe it is the intended solution for your exact problem:

Palo Alto provides EDL Hosting Service specifically to solve the Microsoft 365 headache. It automatically pulls the latest IPs and URLs from Microsoft and formats them into a link your firewall can read.

You can find the list of URLs here: Palo Alto EDL Hosting Service
Create an External Dynamic List Using the EDL Hosting Service

That last link also mentions to Leverage App-ID alongside EDLs in a policy rule for additional strict enforcement of SaaS application traffic.

Instead of just opening "Port 80," use App-ID. Add applications like office365-base, ms-update, and outlook-web to the rule. This is much more secure because it ensures the traffic is actually a Microsoft service, regardless of what port or IP it’s using.

Hope this helps,

Re: How to add Wildcard Domains as a destination for Firewall policy PA1420

OtakarKlier — Thu, 09 Apr 2026 14:21:46 GMT

Hello,

In my experience, you will find a lot of websites still use port 80. While I understand its not 'encrypted' it still has its usefulness. I think you might find a lot of tickets from users asking why a site is blocked etc. Just my thoughts.

Regards,

Re: How to add Wildcard Domains as a destination for Firewall policy PA1420

Brandon_Wertz — Thu, 09 Apr 2026 17:14:14 GMT

@S.Alizada Also like @OtakarKlier has mentioned basic "Internet" connectivity services for systems like Microsoft and Apple use port 80 status checks. If you're blocking 80/tcp (http), you're creating a future headache for yourself: