Does PAN offer any formal guidance for implementing access to Office 365, specifically for Outlook access to Exchange Online?
We have, via trial-and-error, enabled this access using the newly-minted AppID for Office 365, but are seeing occasional Outlook session disconnects.
Microsoft is, predictably, telling us that none of their other customers see this problem, and are vaguely suggesting it's our firewall.
Does Palo Alto Networks have any recommendations on how to best enable Exchange Online? Anyone have any positive experiences to share? (I can also share some of our pains in reverse-engineering the O365 service, if there is interest...)
A quick suggestion I would give here is to first make the rules simple between the source and destination and allow the traffic to pass properly and completely as expected.
Now if monitor Traffic logs for this period of testing ( Filter traffic for security rule, time frame of the event tested, source and destination IPs ) we would find all the apps seen on the PAN and all the ports which allowed the traffic.
If some of these ports or apps were missed that would narrow down the issue for us.
Did you just starting seeing the issue after the app-id's were created. Also verify that no session is being denied for the ports or apps that are needed for the application.
While you are having issue you can do the following to narrow down the issue.
1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:
Navigate to Monitor--Packet Capture
Click 'Manage Filters'
Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )
Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)
2. Setup up the captures
Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)
3. Enable filters and captures
debug dataplane packet-diag set filter on
debug dataplane packet-diag set capture on
4. open 2 CLI windows
on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)
show counter global filter packet-filter yes delta yes
on the 2nd window run the following command to look at he sessions
show session all filter source <ip address> destination <ip address>
After your test has been done stop all the captures and filters and see if global counter show you anything why it is dropping the traffic or if you have getting pcap with drop stage.
This will help you narrow down the issue.
Let us know if this helps you resolve the issue.
These are all great suggestions in general for simple straightforward applications, however the way MS implements Exchange Online is anything but simple or predictable. I will try to address these individually:
For the most part we have the service enabled, however there are still some minor challenges (e.g. occasional disconnects) which is why I was hoping that PAN offered a formal tested and recommended guide for implementing O365.
Some good info here. We are getting ready to configure some security policies and I was hoping to see how others were handling it.
One of my thoughts was / is ....
Well we are getting ready to implement Panorama, so I was thinking that we could setup a global rule that is application based and then a local rule that is URL based, then monitor traffic and see which way is the most effective.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!