Seeing an issue using minemeld and O365 IPs and not having the same IPs that Microsoft is advertising that need to be allowed. Is there any easy way to confirm what is there and and what isn't via minemeld? I've been using for awhile but only now did I notice that some of the CIDRs aren't coming across via minemeld.
Solved! Go to Solution.
Still fighting this issue. I tried your self signed cert as well from github and now I get a different error message when attempting to authenticate to minemeld using that cert profile:
description contains 'EDL server certificate authentication failed....Reason: SSL peer certificate or SSH remote key was not OK'
Update: So I changed the URL to include the server name instead of the IP address of minemeld and that seems to have fixed it. I can see the IPs and URLs now and all is well again. So:
First one works, second does not after generating the self signed cert on minemeld itself.
Weird because now that I am looking at this seems my external lists referencing mine meld are blank. So something is amiss. Either I have an older version of feed/nodes or something else entirely. I had set this up awhile ago and just assumed it was running. Some of URL references were simply https://youriphere/feeds/office365_IPv4s , was that used at one time?
I went ahead and re-imported the configuration from the how-to and I can see it populating data. But my external mine meld dynamic IP lists are still blank. I tested source URL and it comes back successful but still seem to missing something.
Basically I want to allow all O365 IPs on a specific policy via source IP using mind meld. Is this the way I would do that? Specific policy referencing mine meld external dynamic IP list as the source or destination?
@drewdown which config are you referring to? which o364 Miner are you using?
If you could share your config I could give you some guidance.
I want to feed o365 IPv4/URLs into external dynamic lists and reference them in policies using those EDLs as source and or destination objects. I configure the cert profile as well and I when browse to the URL in question I get a list of IPs but for whatever reason it doesn't look like PAN is creating the list correctly. IE its blank. I guess I would want to use the o365-worldwide-any-miner ?
As you can see the list is empty on the device but if I go to that URL it shows all the O365 IPs. I am also referencing it on a security policy but it still won't populate. I am using Panorama to do this if that matters,
youandme@fw3060-678876(active)> request system external-list show type ip name o365-IPv4 o365-IPv4 o365-IPv4-01 o365-IPv4-01 o365-IPv6 o365-IPv6 <name> <name> admin@fw1-3060-qts(active)> request system external-list show type ip name o365-IPv4-01 Server error : external dynamic list file either empty or not found
https://youriphere/feeds/o365-any-any-ipv4-feed 184.108.40.206-220.127.116.11 18.104.22.168-22.214.171.124 126.96.36.199-188.8.131.52 184.108.40.206-220.127.116.11 18.104.22.168-22.214.171.124 126.96.36.199-188.8.131.52 184.108.40.206-220.127.116.11 18.104.22.168-22.214.171.124 126.96.36.199-188.8.131.52 184.108.40.206-220.127.116.11 18.104.22.168-22.214.171.124 126.96.36.199-188.8.131.52 184.108.40.206-220.127.116.11 18.104.22.168-22.214.171.124 126.96.36.199-188.8.131.52 184.108.40.206-220.127.116.11 18.104.22.168-22.214.171.124 126.96.36.199-188.8.131.52 184.108.40.206-220.127.116.11 18.104.22.168-22.214.171.124 ..............
More digging shows this in the logs although not sure if its relevant because I still can't get the list to populate:
description contains 'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: o365-IPv4-01, EDL Source URL: https://youriphere/feeds/o365-any-any-ipv4-feed, CN: please use a real certificate, Reason: unable to get local issuer certificate
( description contains 'EDL(o365-IPv4-01) No changes to authentication status, still failing. ' )
The cert I used was the godaddy one from the mine meld install walk through that you wrote @lmori :
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!