By default paloalto firewall FQDN object only allows domain name and not wildcard domain.When an FQDN object is committed to the system, the management plane sends out periodic DNS queries to populate this object with IP addresses mapped from the DNS reply. These mapped IP addresses are then be pushed down to the dataplane, where they’re used inside the object in the security policy. On the dataplane, this object includes only the IP addresses it receives from the management plane, but no domain information. Each FQDN object on the dataplane is limited to a maximum of 10 IP addresses. No actual URL lookups are performed, which is why a wildcard cannot be used.
domain name example:- test.com
Wildcard domain name:- *.test.com
Now the solution that I am talking about is creation of Custom URL Category . You can create custom URL category and add single/multiple wildcard domains under it. Once it is created. it can be called in Security Policy under URL category tab.
Procedure to create security policy would be as follows
- Go to Objects > Custom URL Category, and create a category called “amazonaws,” for example. Add “*.amazonaws.com” to the category.
- Go to Objects > Custom URL Category, and create a category called “Everything,” for example. Add “*” to the category. This will cover all URLs.
Add a security policy that permits from any to any.
- Under Service/URL Category, add the category “amazonaws”
- Add another security policy that blocks from any to any. Under Service/URL Category add the category “Everything.”
- The first rule should permit access to *.amazonaws.com, while the second rule should act as a catch-all rule that blocks access to all URLs.