File blocking allow MS 365 Office installs and Windows updates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

File blocking allow MS 365 Office installs and Windows updates

L0 Member

Hey,

If at all possible, please could I ask for some input on the best way I try allow M365 office installs (from their CDN) and Windows updates to our endpoints even though we are not using SSL decryption at the moment?

 

We currently have a policy rule to allow outbound web traffic, matching:

  • any dest
  • service http/https.
  • security profile applied to it that includes the basic file blocking profile (that will stop DLL, cab and Win PE files - all used in Windows updates or Office installs).

 

Above that, in my Palo ignorance, I've introduced another rule that I was hoping would match Windows update traffic and Office 365 installs. This is set to allow:

  • any dest
  • match the apps ms-update, ssl and web-browsing
  • application default service
  • Modified file blocking profile to allow but alert on cab, dll and Win PE files for above app-ids
  • URL category including the URLs at the bottom of the post

 

My question is more about Office at the moment as we need to deploy it - any time we try to deploy an Office app the traffic matches the standard 'Outbound web traffic' rule and normal file blocking denies it. Even though it is categorised as in the Office update URL list (file URL starts with officecdn....) and matches the ms-update or web-browsing app-ids, that are in my allow rule.

Any ideas?

Hope that made sense and sorry if I've made some mistakes, I am new to Palo.

 

 

Custom URL categories:

-Win update

windowsupdates.microsoft.com

*.windowsupdate.com

*.windowsupdates.microsoft.com

*.update.microsoft.com

-Office update

officecdn.microsoft.com

*.officecnd.microsoft.com

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

Make sure you have log at session end enabled on all policies. Then look at the unified logs to see what traffic the PAN is seeing for the office stuff. The problem with Microsoft updates is that they use Akamai so this could be why its not hitting the correct policies.

Regards,

L3 Networker

Hi, wondering if you resolved this issue.

 

Try creating a custom URL category with the below URLs:

*.update.microsoft.com

*.windowsupdates.microsoft.com

*.windowsupdate.com

windowsupdates.microsoft.com

 

And create an allow security policy using this custom URL category. Place it right above the current policy being matched.

 

I hope that helps.

Cyberforce Hero.
Don't forget to hit that Like button if a post is helpful to you!

Hello,

How is your testing coming along?

We are also having challenges with O365 installations as well as MS updates from different client and server OS's.

Our custom URL category includes all of the windowsupdate Urls as well as the akamai Urls from this link:

https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/enterprise/managing-of...

*.akadns.net
*.akam.net
*.akamai.com
*.akamai.net
*.akamaiedge.net
*.akamaihd.net
*.akamaized.net
*.edgekey.net
*.edgesuite.net

 

Still testing and we had a rule that allowed PE and DLL files when the clients hit our custom URL category.

But ran into an issue with a Server 2016 OS which was hitting hwcdn.net which is another CDN network.

I dont think we have a final configuration yet-that is as tight as possible but we are getting close.

Also testing using the ms-update application in one rule and the custom category in another.

Interested to know if you have found a tight ruleset that allows this yet.

thx

OD

 

  • 9798 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!