01-21-2022 01:44 AM
Hey,
If at all possible, please could I ask for some input on the best way I try allow M365 office installs (from their CDN) and Windows updates to our endpoints even though we are not using SSL decryption at the moment?
We currently have a policy rule to allow outbound web traffic, matching:
Above that, in my Palo ignorance, I've introduced another rule that I was hoping would match Windows update traffic and Office 365 installs. This is set to allow:
My question is more about Office at the moment as we need to deploy it - any time we try to deploy an Office app the traffic matches the standard 'Outbound web traffic' rule and normal file blocking denies it. Even though it is categorised as in the Office update URL list (file URL starts with officecdn....) and matches the ms-update or web-browsing app-ids, that are in my allow rule.
Any ideas?
Hope that made sense and sorry if I've made some mistakes, I am new to Palo.
Custom URL categories:
-Win update
windowsupdates.microsoft.com
*.windowsupdate.com
*.windowsupdates.microsoft.com
*.update.microsoft.com
-Office update
officecdn.microsoft.com
*.officecnd.microsoft.com
01-21-2022 11:35 AM
Hello,
Make sure you have log at session end enabled on all policies. Then look at the unified logs to see what traffic the PAN is seeing for the office stuff. The problem with Microsoft updates is that they use Akamai so this could be why its not hitting the correct policies.
Regards,
02-09-2022 02:22 PM
Hi, wondering if you resolved this issue.
Try creating a custom URL category with the below URLs:
*.update.microsoft.com
*.windowsupdates.microsoft.com
*.windowsupdate.com
windowsupdates.microsoft.com
And create an allow security policy using this custom URL category. Place it right above the current policy being matched.
I hope that helps.
03-24-2022 10:08 AM
Hello,
How is your testing coming along?
We are also having challenges with O365 installations as well as MS updates from different client and server OS's.
Our custom URL category includes all of the windowsupdate Urls as well as the akamai Urls from this link:
*.akadns.net
*.akam.net
*.akamai.com
*.akamai.net
*.akamaiedge.net
*.akamaihd.net
*.akamaized.net
*.edgekey.net
*.edgesuite.net
Still testing and we had a rule that allowed PE and DLL files when the clients hit our custom URL category.
But ran into an issue with a Server 2016 OS which was hitting hwcdn.net which is another CDN network.
I dont think we have a final configuration yet-that is as tight as possible but we are getting close.
Also testing using the ms-update application in one rule and the custom category in another.
Interested to know if you have found a tight ruleset that allows this yet.
thx
OD
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
