04-28-2023 09:50 AM
In order to allow Updates to OneDrive im trying to create a custom application. (since I'm blocking PE) as it is detected as web-browsing. It does not detect that ms one drive premade application.
I created a custom signature with the Client hello sni (oneclient.sfx.ms), as I found that from the packet capture. My issue is that it works for some of the traffic but other traffic it is not recognizing the app as OneDrive.
What could be going wrong?
04-28-2023 10:33 AM
If you go to Monitor > Data Filtering and get destination IP where file download was attempted from and then go to Monitor > URL Filtering and use the same destination IP as filter what URL do you see in logs?
04-28-2023 10:45 AM
I see oneclient.sfx.ms/
05-01-2023 09:17 AM
Any more insights into this?
05-01-2023 09:27 AM
Add new URL category
Objects > Custom Objects > URL Category
add 2 entries
*.oneclient.sfx.ms/
oneclient.sfx.ms/
Create security policy above default outgoing policy to permit traffic to newly created URL category and assign file blocking profile to the rule that does not block download of executable files.
05-01-2023 12:42 PM
That still is not working and its only for some users.
05-01-2023 01:09 PM
You can add those specific users into "Source User" field to permit rule for those users only.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
