PBF for Office 365

Highlighted
L1 Bithead

PBF for Office 365

Hi all,

 

One of our startegic customer is requesting the possibility to route just the O365 traffic to a specific link and after researching about this I think that the best is using MineMeld to automatically feed a list of application IP adrress but I did't find any documentation describing how to perform this.

 

Any of you have used the MineMeld to monitor the O365 address and imput this into PANW and can share some details with me?

 

Thank you and regards,

 

L7 Applicator

Re: PBF for Office 365

We at least one customer using PBF with IP list dynamically downloaded via DBL to route O365 traffic over a specific link. They are not using MineMeld yet, but its predecessor https://panwdbl.appspot.com.

So yes, I would definitely test and use MineMeld for this scenario.

L1 Bithead

Re: PBF for Office 365

Imori, can you share how they are using DBL to do this?


@lmori wrote:

We at least one customer using PBF with IP list dynamically downloaded via DBL to route O365 traffic over a specific link. They are not using MineMeld yet, but its predecessor https://panwdbl.appspot.com.

So yes, I would definitely test and use MineMeld for this scenario.


 

L7 Applicator

Re: PBF for Office 365

Hi rrunge1,

you can use a DBL as target for the PBF rule. DBL is populated with O365 IP addresses by O365 Miners.

 

luigi

L1 Bithead

Re: PBF for Office 365


@lmori wrote:

Hi rrunge1,

you can use a DBL as target for the PBF rule. DBL is populated with O365 IP addresses by O365 Miners.

 

luigi


Luigi,

 

I created the miner using the prototype Office365.O365  but apparently there are some IPs missing  in the default list comparing from: https://support.content.office.net/en-us/static/O365IPAddresses.xml aren't part of Office365.O365 miner.

 

I tried to customize the prototype using the address above and could collect more than 1000 indicators from the xml but the processor doesn't understand the format. 

 

 

L7 Applicator

Re: PBF for Office 365

Hi rrunge1,

Microsoft splits the IP addresses and URLs used for O365 in 17 different lists, one for each O365 service.

Each service has a corresponding Miner in MineMeld. If you want to gather all the IPs you need all the Miners. Basically your graph should look like this one:

 

Screen Shot 2016-05-25 at 10.08.47.png

You can download the config here:

https://paloaltonetworks.box.com/s/4ubmkgrq72a8mdd24j733ddqdgbkyvv4

 

To use it you should:

- upload the file to the VM via SCP or SFTP (you can use Filezilla on Windows)

- login into the VM via SSH

- and then

$ sudo -u minemeld cp office365-config.yml /opt/minemeld/local/config/committed-config.yml
$ sudo service minemeld restart

 

luigi

Tags (2)
L1 Bithead

Re: PBF for Office 365

Thanks Luigi, i's working now!

L7 Applicator

Re: PBF for Office 365

Great ! Thanks for letting me know !

L3 Networker

Re: PBF for Office 365

Is this safe without overwriting the other configurations in place?

L7 Applicator

Re: PBF for Office 365

Hi chirsf,

you should merge the 2 configs by hand:

- sudo -u minemeld vi /opt/minemeld/local/config/committed-config.yml

- the config format is straightforward, it's basically a list of nodes:

nodes:
    node1:
        [...]
    node2:
        [...]

- you should append the list of nodes from the O365 config files to the list of nodes of the current committed-config:

nodes:
    node1:
        [...]
    node2:
        [...]
    o365:
        [...]
    ...

- restart minemeld service "sudo service minemeld restart"

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!