Thanks for the response. I was wondering though is there a way I could do something like *.blackberry.com. So if the user is hitting test123.blackberry.com one time then the next time they go to test1234.blackberry.com it will allow them to the site without having to add both sites individually?
Even the thread is closed, there was a clarification published after a solution was provided and accepted: an internal verification will prohibit using wildcard characters in FQDN objects declaration - DOC-8222, RegEx Pattern for FQDN Address Object, now available as https://live.paloaltonetworks.com/t5/Management-Articles/RegEx-Pattern-for-FQDN-Address-Object/ta-p/... When using FQDN object, one should consider the maximum number of IPs mapped to a FQDN object (DOC-3371, How to Configure and Test FQDN Objects, now available as https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/t... and the default refresh timer (30 minutes, DOC-5085, How to Change the FQDN Refresh Timers, now available at https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-FQDN-Refresh-Timers/ta...
With FQDN object your firewall is evaluating the connection at the very first packet, it will check if the destination address of the SYN (for example) is matching the returned IP address for the FQDN object.
With URL category, you need to allow any as destination to allow the connection to establish, once the application data start to pass through the firewall it will evaluate the rulebase again and if address from the actual data is matching the rule the traffic will be allowed to continue. If not - the firewall will deny the rest of the connection.
If the connection is encrypted with SSL/TLS I believe the firewall will use the server certificate
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!