Issues with the MineMeld Microsoft EDL's

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Issues with the MineMeld Microsoft EDL's

L1 Bithead

For the last couple of weeks we are running into an interesting issue with our Office365 EDL's.  We pull the Office365 API based IP/URL list into Panorama using MineMeld.  This process is working perfectly.  We have compared the output within MineMeld against the EDL on our firewall and they are identical.  For some reason I am seeing multiple connections being blocked to IPv4 ranges that are contained in the EDL.  This is occurring on multiple protocols, STUN, SSL, etc... affecting Skype For Business for a number of users.  Now, what is odd, is that I can fix this issue if I take the IP range from the EDL present on the firewall and create a network object for it and place it in the same exact rule.  So this tells me that the problem is with the firewall using objects in this specific EDL.  The EDL has 184 different IPs or IP ranges in it.   We are running 8.1.4 on all firewalls.  Has anyone else run into this issue?   Thank you in advance!

6 REPLIES 6

L7 Applicator

Hi @AndrewZener,

thank you for posting this. Could you share the range? I did a quick a test but I could not reproduce the issue

 

Luigi

Hi @AndrewZener,

I tested this again with your version, 8.1.4, and I wasn't able to find the range that wasn't matched via EDL. Everything looks good. Could you share more details?

 

Thanks!

Here is the IP range:  52.112.0.0-52.115.255.255  The app affected is Skype. 

 

Like I mentioned earlier I can clearly see the IP range on the firewall contained within the EDL but the traffic is still getting denied by policy to this specific range.  Once I add an IP range Object for it to the same rule it starts matching and the traffic is allowed.  I haven't checked to see if there are other ranges in the EDL being denied, so I will check that this morning and report back.

 

Thank you!

Thanks! Just checked again and it is matching. Which NGFW device are you using? I am testing this on a VM, wondering if it could be an issue with hw architectures with a dedicated dataplane.

This is a VM-300.  I did notice this morning that we are missing some of the Office365/Skype AppID dependencies but I don't see any of them being used.  Can you tell me which AppID's you are testing with?  I am going to try and narrow it down to a specific AppID or protocol. 

Currently I wanted to test the EDL matching, so I just used application any. Is there a specific protocol/app that is not matching that range?

  • 5091 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!