Maybe I've found something interesting.
The kind of shaping I'm looking for (URL based) is mostly a proxy feature and not a firewall feature.
I've read about Squid Delay Pools and the corresponding rules which may be based upon regex.
Here is an excerpt:
URL, keyword based bandwidth restriction
This will limit the bandwidth for the following keywords video.domain.com mail cricket
acl group1 url_regex -i video.domain.com mail cricke
delay_pools 1
delay_class 1 1
delay_parameters 1 32000/128000
delay_access 1 allow group1
The idea is to limiti all the sites except O365 ones or limiting specific sites (i.e. update.microsoft.com).
At the moment I'm on holiday and I have no access to my virtual lab. As soon as I'll be back home I'll give it a try.
If in the meanwhile anyone can add any thought, very appreciated.
Managing these settings through NS interface would be great.
Mauro