We're currently using SSG devices and are looking to replace them.
One really annoying aspect of the SSGs was not being able to use wildcards in FQDN address entres within firewall policies. This makes whitelisting Office 365 traffic a nightmare; https://support.office.com/en-us/article/office-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
We do this because we otherwise send all other HTTP traffic to Symantec Web Security service (formally Bluecoat Threatpulse) for filtering and Office 365 must be excluded.
I've read online and have been told from resellers that even Juniper's SRX devices still don't offer this wildcard functionality. However, I've just come across KB32012 which seems to indicate that it's now supported. I'm confused.
Can anyone advise on this or elaborate how they manage Office 365 traffic through their SRX's. I'd previously discounted the SRX as replacements simply for this reason (looking instead at Sonicwalls, Fortinet and Watchguards). Truth be told I'd like to remain a Juniper customer if it's possible as they and the SSGs have given us stirling service for the past decade.
Thanks in advance for any help.
Unfortunately that is correct.
You cannot use wildcard patterns in traffic policies.
KB32012 is talking about wildcards patterns that would be used in UTM policies.
The one way to solve your problem will be to create PAC file that would be distributed to endpoint machines that will exclude particular destinations to be forwarded to webproxy and forward them directly to your perimeter firewall.
After it you can create regular traffic policy on the firewall.
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Thanks Leon for your swift reply.
What a shame. Regardless of the pain of a PAC file I don't think it would work in our environment anyway; the Symantec Web filter is established by a policy VPN on our SSGs and I expect the PAC to interfere with that.
It seems I'll have to continue to look elsewhere.