Security policy that permits traffic to any *.office365.com ?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Security policy that permits traffic to any *.office365.com ?

I see there is an FQDN option for Destination Address when I create a security policy.

I want to permit port 993 to any host in office365.com. Will it work if I just put office.com

in the FQDN destination? Trying to put the * wildcard causes the widget to gray out the

OK button. Thanks!

 

 


Accepted Solutions
Highlighted
Cyber Elite

Hi @Shuttermed

 

Besides this MineMeld has also a lot more use cases.

But just for this one in this topic, you could also create a custom url category for *.office365.com and reference this category directly in the security policy (not in the security profiles of the rule). This should work also as the firewall sees the hostname in the TLS handshake.

And to answer your initial question: it is not possible to create wildcard FQDN objects.

 

Regards,

Remo

View solution in original post


All Replies
Highlighted
L7 Applicator

MineMeld has the capability of downloading (from Microsoft) a comprehensive list of IP addressess used as part of their office365 platform.  MineMeld would then publish that list of IP addressess in a format that can be consumed by the firewall as part of an External Dynamic List (EDL) / Dynamic Address Group (DAG).  You would then use this dynamic group as the destination address in your security policy.

 

Here's the discussion forum for MineMeld:

 - https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld

Highlighted
Cyber Elite

Hi @Shuttermed

 

Besides this MineMeld has also a lot more use cases.

But just for this one in this topic, you could also create a custom url category for *.office365.com and reference this category directly in the security policy (not in the security profiles of the rule). This should work also as the firewall sees the hostname in the TLS handshake.

And to answer your initial question: it is not possible to create wildcard FQDN objects.

 

Regards,

Remo

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!