topic Re: Need to create firewall policy that allows only Microsoft teams and rest all need to block in General Topics

Need to create firewall policy that allows only Microsoft teams and rest all need to block

adarshp2005 — Mon, 28 Jun 2021 07:53:12 GMT

Hi Friends,

I would like to create Palo Alto configuration for specific range of IP address, not based on users.

My requirement is as follow.

1. Only Microsoft teams traffic (incoming and outgoing includes calls) should be allowed.

2. Want to block all other traffic includes web browsing, file sharing, social media, media streaming.

Anyone can suggest or support to create this type of configuration.

Thanks and Regards.

Adarsh

Re: Need to create firewall policy that allows only Microsoft teams and rest all need to block

BPry — Mon, 28 Jun 2021 20:27:58 GMT

@adarshp2005,

Teams doesn't have a dedicated container app-id, instead it uses ms-teams, ms-teams-audio-video, ms-teams-downloading, ms-teams-editing, ms-teams-live-event, ms-teams-posting, ms-teams-sharing, and ms-teams-uploading. You can try building out an allow entry with those app-ids setup and deny all other traffic, but I'm not sure how well it'll actually function like that.

Also keep in mind that much of Teams relies on other ms-office365 app-ids and certain functions certainly won't actually function correctly unless you include access to other ms-office365 applications.

Re: Need to create firewall policy that allows only Microsoft teams and rest all need to block

OtakarKlier — Mon, 28 Jun 2021 21:33:43 GMT

Hello,

In addition to what BPry already stated, you can use URL and/or destination IP filtering to limit the traffic to Microsoft.

https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-endpoints?view=o365-worldwide

Cheers!

Re: Need to create firewall policy that allows only Microsoft teams and rest all need to block

alawi.alalattas — Mon, 21 Feb 2022 08:34:47 GMT

Hi,

For any specific application you want to allow only ( applications depend on SSL and Web-browsing), you can create two policies.

- One policy to allow SSL and Web-browsing for that application to work. configure the URL Category in this policy to use custom category contains only the URLs needed for that application

- Another policy to allow that application

In some cases, you have to add one more policy to allow destination IPs for that application to work

I did that for multiple applications such as Anydesk, Skype, Zoom, etc..

I did it also for MS Teams but still facing some issues

Re: Need to create firewall policy that allows only Microsoft teams and rest all need to block

Daniel_Erlenbu — Mon, 20 Nov 2023 17:48:06 GMT

I still have this issue to allow gifs in Teams through the PAN. I worked with Palo Alto Support and we ended up allowing Shareware and freeware and also online storage and backup for the HR URL Category group. I don't like this solution. What I need to do is just allow *.media0.giphy.com through *media100.giphy.com - Is there a way to wildcard the number after Media?

Re: Need to create firewall policy that allows only Microsoft teams and rest all need to block

kiwi — Wed, 22 Nov 2023 08:50:00 GMT

Hi @Daniel_Erlenbu ,

That specific usage of wildcard is not supported. You can only use wildcard characters as token placeholders which isn't the case in your query.

Please read the section on how to use asterisk or caret wildcards in the following document:

https://docs.paloaltonetworks.com/advanced-url-filtering/administration/configuring-url-filtering/url-category-exceptions/guidelines-for-url-category-exceptions#iddcac739a-a03b-4728-8293-b5d8d0d8a2ac

Kind regards,

-Kim.