- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-12-2014 10:50 AM
Is it possible to use a wildcard when creating a policy based off of a fqdn?
Thanks
06-12-2014 01:01 PM
Hello,
A fully qualified domain name (FQDN) should specify its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone. Hence *.blackberry.com will not work as FQDN address object.
Thanks
06-12-2014 12:27 PM
Yes, you can add FQDN address object into the security policy.
FYI:
Step-1
Step-2:
Thanks
06-12-2014 12:32 PM
Thanks for the response. I was wondering though is there a way I could do something like *.blackberry.com. So if the user is hitting test123.blackberry.com one time then the next time they go to test1234.blackberry.com it will allow them to the site without having to add both sites individually?
Thanks
06-12-2014 01:01 PM
Hello,
A fully qualified domain name (FQDN) should specify its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone. Hence *.blackberry.com will not work as FQDN address object.
Thanks
09-22-2015 01:29 PM - last edited on 09-28-2015 12:35 AM by reaper
Even the thread is closed, there was a clarification published after a solution was provided and accepted: an internal verification will prohibit using wildcard characters in FQDN objects declaration - DOC-8222, RegEx Pattern for FQDN Address Object, now available as https://live.paloaltonetworks.com/t5/Management-Articles/RegEx-Pattern-for-FQDN-Address-Object/ta-p/... When using FQDN object, one should consider the maximum number of IPs mapped to a FQDN object (DOC-3371, How to Configure and Test FQDN Objects, now available as https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/t... and the default refresh timer (30 minutes, DOC-5085, How to Change the FQDN Refresh Timers, now available at https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-FQDN-Refresh-Timers/ta...
09-22-2015 01:41 PM
If you are using URL filtering, you can create a custom URL category and apply that category to the security policy.
01-30-2018 09:00 AM
I think this only works if you are going to use http or https .
02-01-2019 07:51 AM
Hi All,
For FQDN objects firewall does the nslookup at defined interval (default 30 minutes) to verify the IP address. Is this true for custom URL category as well?
Regards,
Deepak Kumar
02-04-2019 06:34 AM
No.
With FQDN object your firewall is evaluating the connection at the very first packet, it will check if the destination address of the SYN (for example) is matching the returned IP address for the FQDN object.
With URL category, you need to allow any as destination to allow the connection to establish, once the application data start to pass through the firewall it will evaluate the rulebase again and if address from the actual data is matching the rule the traffic will be allowed to continue. If not - the firewall will deny the rest of the connection.
If the connection is encrypted with SSL/TLS I believe the firewall will use the server certificate
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!