Hi @the_rock 

Many thanks for the reply and getting it tested on your lab. Much appreciated.

AFAIK, MS doesn't recommend doing HTTPS inspection for the O365 traffic. As you mentioned, since most of the traffic has become SSL now, I'm trying to know, would updatable objects itself suffice.

And, per SK110679-Application Control support for Office 365, does it also require any app control (in addition to updatable objects) for better usage and performance?

I would say, regardless of circumstances, urlf+appc should be ebabled anyway. I can tell you, this is not only on CP, but even on Fortifates and PAN, if you have ssl inspection enabled as well, you will see IPS blade be way more beneficial.

Best,

Andy

Hi Mate, I agree. My scenario is to send only O365 via firewall and rest all via proxy where SSL inspection is happening.

As you know, MS O365 is a critical services where any downtime isn't entertained. Once tested in your lab, can you please share your insights.

Thanks for your help.

Yup, just tested it, worked fine without inspection, urlf or appc. I only had ips, vpn and monitoring blades on. Personally, in production, I ALWAYS advise people to at least have urlf and appc enabled. Just my suggestion mate, I dont force anyone to do anything, its a free country : - )

Best,

Andy

K, so just tested it in the lab and you can add any updatable object, even if you dont have urlf or appc enabled. BUT, again, as the sk says, to function 100% properly, you should even have ssl inspection on. yes, it will work without those blades, but you wont see full benefits of it at all.

Best,

Andy

Hi @the_rock 

Thanks and apologies for the late reply. I have seen some threads on updatable objects which doesn't support wildcard FQDN objects.

As O365 traffic also contains wildcard FQDNs (on non-web ports), it can’t traverse via URLF layer and hence it's necessary to include every URL/domain that the site is trying to load as part of the page. If we proceed with the FQDN object, it's very challenging as it requires each and every domain to be added manually.

Any suggestions on how to get this accomplished? 

The custom app/site object lets you import CSV file into it, so thats one option. Yes, I do believe you are correct in saying that UOs dont support wildcards.

Ostencibly, even if thats the case, custom site objects should work. I dont know any better suggestion, but you can confirm with TAC 100%, see what they have to say.

Best,

Andy

Thanks. Sure, will log a TAC case.

As far as I know, custom app/site is for the URLF and APP control which is for http/https  and not for non-web services as MS also have IMAP, SMTP associated with it.

While I raise a TAC case, can you please confirm on the above...?

Correct.

Keep us posted what TAC says, because this can definitely help others and its really important subject, for sure.

Best,

Andy

Any update on this?