Security policy FQDN

Alex_91
Alex_91 Posts: 25  Freshman Member
First Comment Friend Collector Sixth Anniversary
edited April 18 in Security

Hello,
by following this Microsoft link to allow access the Outlook App to Exchange OnPrem:

https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#exchange-online

I see that you need to enable fqdn to allow access.
Am I wrong or Zyxel firewalls not resolve the IP class?

I add this roule:

Immagine.jpg

sometimes rule not working

Accepted Solution

  • PeterUK
    PeterUK Posts: 3,382  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 22 Answer ✓

    Can FQDN resolve IP subnet?

    No I FQDN can lookup the IP's of a DNS name bbc.co.uk

    151.101.0.81
    151.101.64.81
    151.101.192.81
    151.101.128.81

    You can do *bbc.co.uk for WILDCARD for subdomain by DNS that happens LAN to WAN for the IP's it gets

All Replies

  • WJS
    WJS Posts: 155  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    Those addresses are server need to access which means this is outgoing traffic.

    I thought you need a rule is LAN → WAN , dst: AppOutlook

  • Alex_91
    Alex_91 Posts: 25  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    Let's leave aside for the moment the question of whether it is needed (for incoming or outgoing access).
    Can FQDN resolve IP subnet?
    Example: outlook.cloud.microsoft -> 13.107.6.152/31 + 13.107.18.10/31 + …
    or is it really necessary to specify the various subnets manually?

  • WJS
    WJS Posts: 155  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    It can. It works with FQDN objects.

  • Alex_91
    Alex_91 Posts: 25  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    from specific firmware or what?

    I can confirm that if I enter the various IPs manually in the rules (13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, ...) the application works.
    If I leave the FQDNs alone (outlook.cloud.microsoft, outlook.office.com, outlook.office365.com) the app doesn't work.

  • WJS
    WJS Posts: 155  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    FQDN object should work with now alive appliance.

    But sounds like you have FQDN object which mean your firmware should support this feature.

    Maybe try the latest firmware ?

    https://community.zyxel.com/en/discussion/17115/zywall-usg-series-v4-73-patch-2-firmware-released

  • PeterUK
    PeterUK Posts: 3,382  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 22 Answer ✓

    Can FQDN resolve IP subnet?

    No I FQDN can lookup the IP's of a DNS name bbc.co.uk

    151.101.0.81
    151.101.64.81
    151.101.192.81
    151.101.128.81

    You can do *bbc.co.uk for WILDCARD for subdomain by DNS that happens LAN to WAN for the IP's it gets

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)