- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-13-2018 01:34 PM
I see there is an FQDN option for Destination Address when I create a security policy.
I want to permit port 993 to any host in office365.com. Will it work if I just put office.com
in the FQDN destination? Trying to put the * wildcard causes the widget to gray out the
OK button. Thanks!
04-13-2018 02:15 PM
Hi @Shuttermed
Besides this MineMeld has also a lot more use cases.
But just for this one in this topic, you could also create a custom url category for *.office365.com and reference this category directly in the security policy (not in the security profiles of the rule). This should work also as the firewall sees the hostname in the TLS handshake.
And to answer your initial question: it is not possible to create wildcard FQDN objects.
Regards,
Remo
04-13-2018 01:54 PM
MineMeld has the capability of downloading (from Microsoft) a comprehensive list of IP addressess used as part of their office365 platform. MineMeld would then publish that list of IP addressess in a format that can be consumed by the firewall as part of an External Dynamic List (EDL) / Dynamic Address Group (DAG). You would then use this dynamic group as the destination address in your security policy.
Here's the discussion forum for MineMeld:
- https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld
04-13-2018 02:15 PM
Hi @Shuttermed
Besides this MineMeld has also a lot more use cases.
But just for this one in this topic, you could also create a custom url category for *.office365.com and reference this category directly in the security policy (not in the security profiles of the rule). This should work also as the firewall sees the hostname in the TLS handshake.
And to answer your initial question: it is not possible to create wildcard FQDN objects.
Regards,
Remo
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!