Security policy that permits traffic to any *.office365.com ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.

Security policy that permits traffic to any *.office365.com ?

L2 Linker

I see there is an FQDN option for Destination Address when I create a security policy.

I want to permit port 993 to any host in office365.com. Will it work if I just put office.com

in the FQDN destination? Trying to put the * wildcard causes the widget to gray out the

OK button. Thanks!

 

 

1 accepted solution

Accepted Solutions

Hi @Shuttermed

 

Besides this MineMeld has also a lot more use cases.

But just for this one in this topic, you could also create a custom url category for *.office365.com and reference this category directly in the security policy (not in the security profiles of the rule). This should work also as the firewall sees the hostname in the TLS handshake.

And to answer your initial question: it is not possible to create wildcard FQDN objects.

 

Regards,

Remo

View solution in original post

2 REPLIES 2

L7 Applicator

MineMeld has the capability of downloading (from Microsoft) a comprehensive list of IP addressess used as part of their office365 platform.  MineMeld would then publish that list of IP addressess in a format that can be consumed by the firewall as part of an External Dynamic List (EDL) / Dynamic Address Group (DAG).  You would then use this dynamic group as the destination address in your security policy.

 

Here's the discussion forum for MineMeld:

 - https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld

Hi @Shuttermed

 

Besides this MineMeld has also a lot more use cases.

But just for this one in this topic, you could also create a custom url category for *.office365.com and reference this category directly in the security policy (not in the security profiles of the rule). This should work also as the firewall sees the hostname in the TLS handshake.

And to answer your initial question: it is not possible to create wildcard FQDN objects.

 

Regards,

Remo

  • 1 accepted solution
  • 3063 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!