No, that won't work. The ASA uses the FQDNs to resolve them to an IP address. These IPs are used for access-control. With wildcards, the ASA doesn't know what to resolve.
Solutions that inspect the payload can do that like the FirePower module that you can install in your ASA. But that works best with clear communication and is an extra effort for encrypted communication like HTTPS.
In this example *.office365.com, you just put office365.com and that matches all of the wildcards. I tested this out with a pretty long list of FQDNs, and the test came back successful.
does this work as ASA or FTD proactively matches the IP address to the FQDN ( as defined in the ACL ) and there wouldnt not be able to match to any IP for any office365.com ( or its subdomain ) unless its FQDN .
Please let me know what is output do you see for show FQDN or show DNS on your device for office365.com .
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
