topic File blocking allow MS 365 Office installs and Windows updates in General Topics

File blocking allow MS 365 Office installs and Windows updates

RaoulG — Fri, 21 Jan 2022 09:44:53 GMT

Hey,

If at all possible, please could I ask for some input on the best way I try allow M365 office installs (from their CDN) and Windows updates to our endpoints even though we are not using SSL decryption at the moment?

We currently have a policy rule to allow outbound web traffic, matching:

any dest
service http/https.
security profile applied to it that includes the basic file blocking profile (that will stop DLL, cab and Win PE files - all used in Windows updates or Office installs).

Above that, in my Palo ignorance, I've introduced another rule that I was hoping would match Windows update traffic and Office 365 installs. This is set to allow:

any dest
match the apps ms-update, ssl and web-browsing
application default service
Modified file blocking profile to allow but alert on cab, dll and Win PE files for above app-ids
URL category including the URLs at the bottom of the post

My question is more about Office at the moment as we need to deploy it - any time we try to deploy an Office app the traffic matches the standard 'Outbound web traffic' rule and normal file blocking denies it. Even though it is categorised as in the Office update URL list (file URL starts with officecdn....) and matches the ms-update or web-browsing app-ids, that are in my allow rule.

Any ideas?

Hope that made sense and sorry if I've made some mistakes, I am new to Palo.

Custom URL categories:

-Win update

windowsupdates.microsoft.com

*.windowsupdate.com

*.windowsupdates.microsoft.com

*.update.microsoft.com

-Office update

officecdn.microsoft.com

*.officecnd.microsoft.com

Re: File blocking allow MS 365 Office installs and Windows updates

OtakarKlier — Fri, 21 Jan 2022 19:35:24 GMT

Hello,

Make sure you have log at session end enabled on all policies. Then look at the unified logs to see what traffic the PAN is seeing for the office stuff. The problem with Microsoft updates is that they use Akamai so this could be why its not hitting the correct policies.

Regards,

Re: File blocking allow MS 365 Office installs and Windows updates

Gustavo_Aristi — Wed, 09 Feb 2022 22:22:09 GMT

Hi, wondering if you resolved this issue.

Try creating a custom URL category with the below URLs:

*.update.microsoft.com

*.windowsupdates.microsoft.com

*.windowsupdate.com

windowsupdates.microsoft.com

And create an allow security policy using this custom URL category. Place it right above the current policy being matched.

I hope that helps.

Re: File blocking allow MS 365 Office installs and Windows updates

LiveCommunityMemberOD — Thu, 24 Mar 2022 17:08:22 GMT

Hello,

How is your testing coming along?

We are also having challenges with O365 installations as well as MS updates from different client and server OS's.

Our custom URL category includes all of the windowsupdate Urls as well as the akamai Urls from this link:

https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/enterprise/managing-office-365-endpoints.md

*.akadns.net
*.akam.net
*.akamai.com
*.akamai.net
*.akamaiedge.net
*.akamaihd.net
*.akamaized.net
*.edgekey.net
*.edgesuite.net

Still testing and we had a rule that allowed PE and DLL files when the clients hit our custom URL category.

But ran into an issue with a Server 2016 OS which was hitting hwcdn.net which is another CDN network.

I dont think we have a final configuration yet-that is as tight as possible but we are getting close.

Also testing using the ms-update application in one rule and the custom category in another.

Interested to know if you have found a tight ruleset that allows this yet.

thx