05-06-2020 09:32 AM
Custom URL category and FQDN object are different configurations all together and used for different requirements.
FQDN object is address object which simply can be used as source Address or Destination Address under Security Policy. For FQDN objects, firewall sends query to its DNS server and get the list of IP addresses associated with that FQDN. Yes Palo Alto maps maximum 10 IP addresses to that FQDN object. And you can't add wildcard domain as a FQDN object as per it's name. It will accept only complete domain.
Now the solution that I am talking about is creation of Custom URL Category (type URL list). You can create custom URL category and add single/multiple wildcard domains under it. Once it is created. it can be called in Security Policy under URL category tab.
For your requirement, security policy would be,
Source IP - Required IP/Network
Destination - Any
APP ID/Service - Required one
URL category - Custom category created by you.
Action - Allow
This policy will allow only traffic which is specific to your desired wildcard domain specified under Custom URL category.
You can refer below article and follow Option 1 : Use URL Category.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltmCAC
Hope it helps!
Mayur
