04-20-2022 05:48 AM
Hi,
Have two separate issues, but think they are connected by lack of firewall rule somewhere, cannot locate what I am missing thou..
Issue1:
When I try to use SHARE button inside desktop version of Word/Excel/PPoint to share document, cannot see anyone in drop down, cannot search for any users and in general it's not populating. I don't have that problem when trying to share document that is saved in any online location - all employees showing in 'share with' window.
Issue 2:
I cannot connect to any of my PowerBI datasets located online from any desktop Excel. That is true for any user, on any computer, on any VLAN I have. When I select Get Data/from PowerBI, only thing that I can see is grey column with spinning wheel.
When users attempt to connect to same datasets from non-corporate devices, they can just fine.
We have converged Palo environment: GlobalProtect, VPN portals, Cortex, on-prem Palo firewalls.
I am very new to Palo firewalls, just been on PAN-210 training course few days ago, so understand building blocks of security rules, but this is 'art' part of knowledge and I am not there yet.
Anyone had similar issue and can lead me to a app, service, combination of both that is responsible for communication with MS online resources from within Office apps?
Our Outlook and SharePoint online portals works perfectly fine, can get mails and access Intranet website without issue.
Regards
Robert
04-20-2022 10:14 AM
Do you decrypt outbound traffic on your network? Have you enabled logging on the interzone-default security entry so that uncaught denied traffic is actually being recorded in the traffic logs?
04-20-2022 01:03 PM
Similar issue that started today. My Office 365 would not complete MFA and it was because my firewall thought the dest IP was in China and was blocking the traffic. I have tried rolling back Applications and threats but that hasn't changed anything. I ended up disabling the geo rule until it gets patched.
04-20-2022 01:23 PM
We are currently tracking an issue with this. Content update 8559 is causing outages, as geo-ip data is showing incorrect mappings. TAC is currently working on an advisory to customers, but, there are microsoft services and opendns resolvers in the problematic subnets:
13.107.202.0-13.107.255.255 52.127.91.0-52.127.93.255 146.75.32.0-146.75.47.255 168.63.129.16 - 168.63.129.31 142.250.176.0 - 142.250.183.255 208.67.220.0 - 208.67.220.255
Please follow these instructions to revert below 8559 and see if that fixes your issue.
04-22-2022 06:31 AM - edited 04-22-2022 06:34 AM
Hi,
Still getting my head around Panorama's 'pre' and 'post' rules,
We do have decrypt rule on outgoing traffic and we do have catch rule with logging enabled.
Any specific events I should look for ?
Edit:
Just found we also have 'don't decrypt O365 traffic rule' in other part of Panorama, so back to beginnings. Any key terms I should look for in logs..?
04-22-2022 02:33 PM
What OS are you running? 10.0+ gives a decryption failure pane in the ACC tab.
04-23-2022 12:32 AM
I'd try working with a test machine exhibiting the behavior and look for denied traffic in your traffic logs, along with any M365 traffic accidently bypassing your decryption exception (you don't say here how you have that configured).
You can also quickly verify if this is a issue on the firewall by taking a single test host and creating a temporary any/any allow rule for it to external resources and excluding it completely from decryption. If things work as expected, you can start working backwards from there (IE: Try it again with it hitting your normal security rulebase entries, if it works than it's a security rulebase issue and if it doesn't then focus on decryption).
04-25-2022 12:23 AM
@BPry wrote:I'd try working with a test machine ...
...You can also quickly verify if this is a issue on the firewall by taking a single test host and creating a temporary any/any allow rule for it to external resources and excluding it completely from decryption....
Yes, this will be my next task for my desk, getting a permanent test host.
We run 9.0.14 ATM.
04-28-2022 03:18 AM
Hi,
It will be slow progress from now on, I have loads of other jobs to complete before doing tests on this, but thanks for all help, once I have progress, will let you all know.
regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
