@Nima_Chogyal blocking access to those type of cloud application with FQDN is not practical. That will be a never ending story hunting new IPs as a result of the fast changing of these IPs. Like @PhoneBoy wrote, use app control or myabe updatable objects to create your rules. All of the applications of googles workspace are available via app control and you can create rules based on them. We are using this to allow only some of the apps not all. This is working fine in our environment with enabled HTTPS inspection or SNI support and R81.20.
Here are a sample of googles applications and updatable objects available via SmartConsole to use in the rule base:
.png "Wolfgang"){kind=avatar}
