Security policy FQDN

Alex_91

Hello,
by following this Microsoft link to allow access the Outlook App to Exchange OnPrem:

https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#exchange-online

I see that you need to enable fqdn to allow access.
Am I wrong or Zyxel firewalls not resolve the IP class?

I add this roule:

sometimes rule not working

PeterUK

Can FQDN resolve IP subnet?

No I FQDN can lookup the IP's of a DNS name bbc.co.uk

151.101.0.81
151.101.64.81
151.101.192.81
151.101.128.81

You can do *bbc.co.uk for WILDCARD for subdomain by DNS that happens LAN to WAN for the IP's it gets

WJS

Those addresses are server need to access which means this is outgoing traffic.

I thought you need a rule is LAN → WAN , dst: AppOutlook

Alex_91

Let's leave aside for the moment the question of whether it is needed (for incoming or outgoing access).
Can FQDN resolve IP subnet?
Example: outlook.cloud.microsoft -> 13.107.6.152/31 + 13.107.18.10/31 + …
or is it really necessary to specify the various subnets manually?

WJS

It can. It works with FQDN objects.

Alex_91

from specific firmware or what?

I can confirm that if I enter the various IPs manually in the rules (13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, ...) the application works.
If I leave the FQDNs alone (outlook.cloud.microsoft, outlook.office.com, outlook.office365.com) the app doesn't work.

WJS

FQDN object should work with now alive appliance.

But sounds like you have FQDN object which mean your firmware should support this feature.

Maybe try the latest firmware ?

https://community.zyxel.com/en/discussion/17115/zywall-usg-series-v4-73-patch-2-firmware-released

PeterUK

Can FQDN resolve IP subnet?

No I FQDN can lookup the IP's of a DNS name bbc.co.uk

151.101.0.81
151.101.64.81
151.101.192.81
151.101.128.81

You can do *bbc.co.uk for WILDCARD for subdomain by DNS that happens LAN to WAN for the IP's it gets