Add too much host & IP ranges that affect to performance of UTM?

Question

Hello there, 
 I have plan to create rule to allow some hosts & IP ranges Microsoft 365 Common and Office Online for deploy hybrid system Azure with on-premises AD server. This is configuration on firewall Sophos UTM. Below is a example: 
 
 My question is: when I add many host & IP ranges, does it affect to performance of my device? 
 It is the best if have any KB about this. Thanks in advance 
 Brds, 
 Vu

Emile Belcourt · Accepted Answer

Hello VuHuynh, 
 It is not recommended to put the Office 365 bypasses in as firewall rules because the IP ranges can constantly change and update as Microsoft make changes. 
 It is perfectly acceptable and recommended to only have exceptions put into the Web Filter as the issue that prevents O365 services working properly is certificate pinning so therefore HTTPS Exceptions will do the trick as long as Web Protection is enabled. 
 If you have Web Protection enabled, go to Web Protection > Filtering Options > Exceptions and add new exception. Select the check boxes for skip checks for "SSL Scanning", you can also do so for URL filter but it is unlikely you will have category blocked O365 services and I would not recommend a URL filter exception unless absolutely needed. 
 For the conditions, change the drop down to "matching these URLs" and in the box that appears click the dropdown and select import then copy and past the exceptions list below in: 
 ^https?://([A-Za-z0-9.-]*\.)?office365\.com/? ^https?://([A-Za-z0-9.-]*\.)?admin\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?portal\.cloudappsecurity\.com/? ^https?://([A-Za-z0-9.-]*\.)?us\.portal\.cloudappsecurity\.com/? ^https?://([A-Za-z0-9.-]*\.)?eu\.portal\.cloudappsecurity\.com/? ^https?://([A-Za-z0-9.-]*\.)?eu2\.portal\.cloudappsecurity\.com/? ^https?://([A-Za-z0-9.-]*\.)?us2\.portal\.cloudappsecurity\.com/? ^https?://([A-Za-z0-9.-]*\.)?us3\.portal\.cloudappsecurity\.com/? ^https?://([A-Za-z0-9.-]*\.)?onmicrosoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?account\.office\.net/? ^https?://([A-Za-z0-9.-]*\.)?agent\.office\.net/? ^https?://([A-Za-z0-9.-]*\.)?delve\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?home\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?portal\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?suite\.office\.net/? ^https?://([A-Za-z0-9.-]*\.)?webshell\.suite\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?www\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?aria\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?portal\.microsoftonline\.com/? ^https?://([A-Za-z0-9.-]*\.)?clientlog\.portal\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?nexus\.officeapps\.live\.com/? ^https?://([A-Za-z0-9.-]*\.)?nexusrules\.officeapps\.live\.com/? ^https?://([A-Za-z0-9.-]*\.)?amp\.azure\.net/? ^https?://([A-Za-z0-9.-]*\.)?o365weve\.net/? ^https?://([A-Za-z0-9.-]*\.)?auth\.gfx\.ms/? ^https?://([A-Za-z0-9.-]*\.)?appsforoffice\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?assets\.onestore\.ms/? ^https?://([A-Za-z0-9.-]*\.)?az826701\.vo\.msecnd\.net/? ^https?://([A-Za-z0-9.-]*\.)?c\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?c1\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?client\.hip\.live\.com/? ^https?://([A-Za-z0-9.-]*\.)?contentstorage\.osi\.office\.net/? ^https?://([A-Za-z0-9.-]*\.)?dgps\.support\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?docs\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?groupsapi-prod\.outlookgroups\.ms/? ^https?://([A-Za-z0-9.-]*\.)?groupsapi2-prod\.outlookgroups\.ms/? ^https?://([A-Za-z0-9.-]*\.)?groupsapi3-prod\.outlookgroups\.ms/? ^https?://([A-Za-z0-9.-]*\.)?groupsapi4-prod\.outlookgroups\.ms/? ^https?://([A-Za-z0-9.-]*\.)?msdn\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?platform\.linkedin\.com/? ^https?://([A-Za-z0-9.-]*\.)?products\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?prod\.msocdn\.com/? ^https?://([A-Za-z0-9.-]*\.)?res\.delve\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?shellprod\.msocdn\.com/? ^https?://([A-Za-z0-9.-]*\.)?support\.content\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?support\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?support\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?technet\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?templates\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?video\.osi\.office\.net/? ^https?://([A-Za-z0-9.-]*\.)?videocontent\.osi\.office\.net/? ^https?://([A-Za-z0-9.-]*\.)?videoplayer\.osi\.office\.net/? ^https?://([A-Za-z0-9.-]*\.)?manage\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?protection\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?blob\.core\.windows\.net/? ^https?://([A-Za-z0-9.-]*\.)?helpshift\.com/? ^https?://([A-Za-z0-9.-]*\.)?localytics\.com/? ^https?://([A-Za-z0-9.-]*\.)?connect\.facebook\.net/? ^https?://([A-Za-z0-9.-]*\.)?firstpartyapps\.oaspapps\.com/? ^https?://([A-Za-z0-9.-]*\.)?outlook\.uservoice\.com/? ^https?://([A-Za-z0-9.-]*\.)?prod\.firstpartyapps\.oaspapps\.com\.akadns\.net/? ^https?://([A-Za-z0-9.-]*\.)?rink\.hockeyapp\.net/? ^https?://([A-Za-z0-9.-]*\.)?sdk\.hockeyapp\.net/? ^https?://([A-Za-z0-9.-]*\.)?telemetryservice\.firstpartyapps\.oaspapps\.com/? ^https?://([A-Za-z0-9.-]*\.)?wus-firstpartyapps\.oaspapps\.com/? ^https?://([A-Za-z0-9.-]*\.)?liverdcxstorage\.blob\.core\.windowsazure\.com/? ^https?://([A-Za-z0-9.-]*\.)?telemetry\.remoteapp\.windowsazure\.com/? ^https?://([A-Za-z0-9.-]*\.)?vortex\.data\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?www\.remoteapp\.windowsazure\.com/? ^https?://([A-Za-z0-9.-]*\.)?hockeyapp\.net/? ^https?://([A-Za-z0-9.-]*\.)?sharepointonline\.com/? ^https?://([A-Za-z0-9.-]*\.)?staffhub\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?api\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?enterpriseregistration\.windows\.net/? ^https?://([A-Za-z0-9.-]*\.)?dc\.applicationinsights\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?dc\.services\.visualstudio\.com/? ^https?://([A-Za-z0-9.-]*\.)?forms\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?forms\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?graph\.windows\.net/? ^https?://([A-Za-z0-9.-]*\.)?mem\.gfx\.ms/? ^https?://([A-Za-z0-9.-]*\.)?office365servicehealthcommunications\.cloudapp\.net/? ^https?://([A-Za-z0-9.-]*\.)?securescore\.office\.com/? ^https?://([A-Za-z0-9.-]*\.)?signup\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?staffhub\.ms/? ^https?://([A-Za-z0-9.-]*\.)?staffhubweb\.azureedge\.net/? ^https?://([A-Za-z0-9.-]*\.)?staffhub\.uservoice\.com/? ^https?://([A-Za-z0-9.-]*\.)?forms\.osi\.office\.net/? ^https?://([A-Za-z0-9.-]*\.)?watson\.telemetry\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?wu\.client\.hip\.live\.com/? ^https?://([A-Za-z0-9.-]*\.)?testconnectivity\.microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?microsoft\.com/? ^https?://([A-Za-z0-9.-]*\.)?msocdn\.com/? ^https?://([A-Za-z0-9.-]*\.)?office\.com/? ^https?://([A-Za-z0-9.-]*\.)?office\.net/? 
 These exceptions have been generated by translating the exceptions from XG format to UTM format from this KB article: https://community.sophos.com/kb/en-us/132291 
 On the topic of large numbers of objects in the UTM, as Jaydeep says it will not be noticed by the end user but it will kill the performance of the webadmin GUI so I only recommend objects be created where necessary and regular cleanups done. I have seen GUIs on 400-series appliances crawl because they have around 7000 objects and after culling them down to about a 1000, the performance difference is very dramatic. It is because of the way the UTM handles the objects and them being available as a sidebar access on all pages (from what I understand). 
 Hope that helps. 
 Emile

Jaydeep · Answer

Hi VuHuynh As long as you configure correct RegEx and add IP addresses properly, it will not impact the device performance or I should say the impact would not be observed by the user.