Thanks for the response. I was wondering though is there a way I could do something like *.blackberry.com. So if the user is hitting test123.blackberry.com one time then the next time they go to test1234.blackberry.com it will allow them to the site without having to add both sites individually?
A fully qualified domain name (FQDN) should specify its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone. Hence *.blackberry.com will not work as FQDN address object.
Even the thread is closed, there was a clarification published after a solution was provided and accepted: an internal verification will prohibit using wildcard characters in FQDN objects declaration - DOC-8222, RegEx Pattern for FQDN Address Object, now available as https://live.paloaltonetworks.com/t5/Management-Articles/RegEx-Pattern-for-FQDN-Address-Object/ta-p/... When using FQDN object, one should consider the maximum number of IPs mapped to a FQDN object (DOC-3371, How to Configure and Test FQDN Objects, now available as https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/t... and the default refresh timer (30 minutes, DOC-5085, How to Change the FQDN Refresh Timers, now available at https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-FQDN-Refresh-Timers/ta...
For FQDN objects firewall does the nslookup at defined interval (default 30 minutes) to verify the IP address. Is this true for custom URL category as well?
With FQDN object your firewall is evaluating the connection at the very first packet, it will check if the destination address of the SYN (for example) is matching the returned IP address for the FQDN object.
With URL category, you need to allow any as destination to allow the connection to establish, once the application data start to pass through the firewall it will evaluate the rulebase again and if address from the actual data is matching the rule the traffic will be allowed to continue. If not - the firewall will deny the rest of the connection.
If the connection is encrypted with SSL/TLS I believe the firewall will use the server certificate
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!