04-09-2026 01:40 AM
Dear all,
I have blocked the Port 80 in my network so any clients try to access the internet over the port 80 should not be allowed.
But the thing is that some of the micorsoft IPs and Domains runs over the port 80.
Now I want to add a new firewall rule to my palo alto 1420 to allowlist Miscrosoft IPs and domains over the port 80 and 443, I have also attached a screenshot to this threat showcasing the list of IPs and domain name, now some domains contains wildcards which can't be added at the detination field and also can be added as Address Objects.
So do you think what is the solution to this so that I can add all those domains as destination so when traffic from my Staff VLAN is generated to those domains over the port 80 and/or 443 are allowed.
Thank you.
Best Regares,
Shah
04-09-2026 02:51 AM
Hi @S.Alizada ,
You can't put *.microsoft.com in an Address Object, but you can add them to custom URL categories:
Create a Custom URL Category (Objects > Custom Objects > URL Category).
In this field, you CAN use wildcards.
In your Security Policy, keep the Destination as "Any" (or use the EDLs), but go to the Category tab and add your new Custom URL Category. The firewall will then allow the traffic based on the host header/SNI matching that wildcard.
I mentioned EDL and I believe it is the intended solution for your exact problem:
Palo Alto provides EDL Hosting Service specifically to solve the Microsoft 365 headache. It automatically pulls the latest IPs and URLs from Microsoft and formats them into a link your firewall can read.
You can find the list of URLs here: Palo Alto EDL Hosting Service
That last link also mentions to Leverage App-ID alongside EDLs in a policy rule for additional strict enforcement of SaaS application traffic.
Instead of just opening "Port 80," use App-ID. Add applications like office365-base, ms-update, and outlook-web to the rule. This is much more secure because it ensures the traffic is actually a Microsoft service, regardless of what port or IP it’s using.
Hope this helps,
04-09-2026 07:21 AM
Hello,
In my experience, you will find a lot of websites still use port 80. While I understand its not 'encrypted' it still has its usefulness. I think you might find a lot of tickets from users asking why a site is blocked etc. Just my thoughts.
Regards,
04-09-2026 10:13 AM - edited 04-09-2026 10:14 AM
@S.Alizada Also like @OtakarKlier has mentioned basic "Internet" connectivity services for systems like Microsoft and Apple use port 80 status checks. If you're blocking 80/tcp (http), you're creating a future headache for yourself:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
