Expand all | Collapse all

Wildcard hostnames in firewall policies

Jump to Best Answer
  • 1.  Wildcard hostnames in firewall policies

    Posted 07-25-2018 05:40

    We're currently using SSG devices and are looking to replace them.


    One really annoying aspect of the SSGs was not being able to use wildcards in FQDN address entres within firewall policies.  This makes whitelisting Office 365 traffic a nightmare;


    We do this because we otherwise send all other HTTP traffic to Symantec Web Security service (formally Bluecoat Threatpulse) for filtering and Office 365 must be excluded.  


    I've read online and have been told from resellers that even Juniper's SRX devices still don't offer this wildcard functionality.  However, I've just come across KB32012 which seems to indicate that it's now supported.  I'm confused.


    Can anyone advise on this or elaborate how they manage Office 365 traffic through their SRX's.  I'd previously discounted the SRX as replacements simply for this reason (looking instead at Sonicwalls, Fortinet and Watchguards).  Truth be told I'd like to remain a Juniper customer if it's possible as they and the SSGs have given us stirling service for the past decade.


    Thanks in advance for any help.



  • 2.  RE: Wildcard hostnames in firewall policies
    Best Answer

    Posted 07-25-2018 13:52



    Unfortunately that is correct.

    You cannot use wildcard patterns in traffic policies.

    KB32012 is talking about wildcards patterns that would be used in UTM policies.

    The one way to solve your problem will be to create PAC file that would be distributed to endpoint machines that will exclude particular destinations to be forwarded to webproxy and forward them directly to your perimeter firewall.

    After it you can create regular traffic policy on the firewall.



    Leon Smirnov

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too


  • 3.  RE: Wildcard hostnames in firewall policies

    Posted 07-26-2018 02:11

    Thanks Leon for your swift reply.


    What a shame.  Regardless of the pain of a PAC file I don't think it would work in our environment anyway; the Symantec Web filter is established by a policy VPN on our SSGs and I expect the PAC to interfere with that.


    It seems I'll have to continue to look elsewhere.