We have many client computers with no internet access (only intranet and email).
Since we are migrating our email to Office 365, client computers need access to Office 365 (via Outlook and Web browser). Not only mail services, but also licensing, onedrive, ... - the full scope of MS Office 365 services.
How can we achieve that?
you can create
The firewall operates on abstract objects so that an end-point can be an object defined as:
Rules can be very general, and very specific. More specific rules precede general rules.
There are four technologies involved:
The Palo Alto firewall has a Graphical User Interface available through a standard web browser. One of the GUI screens provides the following search-able organizational categories:
The risk level is a finger-in-the air enumeration which loosely categorizes how risky is the application. These risk levels are customizable, but there is little point in trying to do so since a new set of application signatures could upset your particular impression of risk, and trying to single-handedly manage all the risk levels raises some serious administrative overhead.
You can search applications by name, select by groups, manage the content of groups, and create a filter which dynamically generates a group.
Specific applications, statically defined groups, and dynamically generated groups can each be used in the policy.
The huge advantage of this approach is how it reduces the firewall administrator's overhead in maintaining policy. If your corporate security policy says, 'Deny Instant Messaging (IM)', then it's easy to create a dynamic rule called 'Instant messaging' and use that in a single deny rule. If a new IM technology is invented, then it will be included in the next application signature release, and the security policy requires no changes.
or many more please visit : - How to Check if an Application Needs to have Explicitly Allowed Dependency Apps
I also need to know how to allow Office365-related traffic ONLY.
Satish, I do understand how the firewall works, with all the objects and such.
The question is more specific.
I have a Policy for a specific User Group that enables Office365 and related apps.
When enabling Office365, I need to also enable web-browsing.
When web-browsing is enabled, hosts that should only access Office365-related destinations are also able to access other web-sites.
I can use URL Category blocking to deny access to all categories, and for that I would need to create a "whitelist" through Custom URL Category list allowing Office365-related URLs.
That is a bad method - I don't know all the microsoft-related URLs, and can't expect microsoft to not change their service's URLs.
What would be the recommended implementation method ?
I was really hoping to resolve this at the application filter level, without having to resort to URL filters.
I understand web-browsing has to be enabled in order to allow enough traffic to identify applications (i.e. office365, facebook, etc), however it would be awesome if there was a signature to match ´standard web browsing' - that is, traffic that hasn't been associated to a specific application after X amount of packets in a session (or ssession group).
This way it'd be possible to filter this kind of traffic out, effectively allowing only the specific needed applications.
RFE ? Feasable at all?
We have managed to do this by creating FQDN's for the Microsoft email servers and also a custom URL category.How we have achieved this is with 2 security rules.
First Security Rule: which allows users to the Microsoft email domains (FQDNs) on specific applications
Second Security Rule: allows users to a specific custom url group (blacked out is the custom URL group we used for our customer) .
You should observe traffic of users who generate only this traffic to fully understand if you are missing a service, port, server (FQDN), and or URL. (This took one of co-workers a good amount of time to wrap a fence around it)
This is a very clean way to create the policy. We didn't use the FQDN objects because of some internal issues. We ended up allowing all of the MS subnets listed here: Office 365 URLs and IP address ranges. The issue is that this list does change. We experienced an issue with it recently. Due to our size we also needed to use a source NAT pool to ensure MS didn't exceed TCP port limitations.
Question. How did you confirm the entire list of FQDN entries required for your rule?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!