01-28-2020 11:39 AM - edited 01-28-2020 11:40 AM
Seeing an issue using minemeld and O365 IPs and not having the same IPs that Microsoft is advertising that need to be allowed. Is there any easy way to confirm what is there and and what isn't via minemeld? I've been using for awhile but only now did I notice that some of the CIDRs aren't coming across via minemeld.
01-29-2020 06:27 AM - edited 01-29-2020 06:32 AM
Still fighting this issue. I tried your self signed cert as well from github and now I get a different error message when attempting to authenticate to minemeld using that cert profile:
description contains 'EDL server certificate authentication failed....Reason: SSL peer certificate or SSH remote key was not OK'
Update: So I changed the URL to include the server name instead of the IP address of minemeld and that seems to have fixed it. I can see the IPs and URLs now and all is well again. So:
https://minemeld.mydomain.com/feeds/o365-any-any-ipv4-feed vs https://10.10.10.1/feeds/o365-any-any-ipv4-feed
First one works, second does not after generating the self signed cert on minemeld itself.
01-28-2020 11:56 AM - edited 01-28-2020 11:57 AM
@drewdown which version of MineMeld are you running? could you give me an example of a missing IP?
Thanks
01-28-2020 11:58 AM
Here you go:
VERSION: 0.9.52
O365-40.92.0.0-15
01-28-2020 12:02 PM
Just checked and I see that range (40.92.0.0-40.93.255.255) in my MM instance running 0.9.52.
01-28-2020 01:05 PM - edited 01-28-2020 01:11 PM
Weird because now that I am looking at this seems my external lists referencing mine meld are blank. So something is amiss. Either I have an older version of feed/nodes or something else entirely. I had set this up awhile ago and just assumed it was running. Some of URL references were simply https://youriphere/feeds/office365_IPv4s , was that used at one time?
I went ahead and re-imported the configuration from the how-to and I can see it populating data. But my external mine meld dynamic IP lists are still blank. I tested source URL and it comes back successful but still seem to missing something.
Basically I want to allow all O365 IPs on a specific policy via source IP using mind meld. Is this the way I would do that? Specific policy referencing mine meld external dynamic IP list as the source or destination?
01-28-2020 01:15 PM
@drewdown which config are you referring to? which o364 Miner are you using?
If you could share your config I could give you some guidance.
01-28-2020 01:22 PM
I want to feed o365 IPv4/URLs into external dynamic lists and reference them in policies using those EDLs as source and or destination objects. I configure the cert profile as well and I when browse to the URL in question I get a list of IPs but for whatever reason it doesn't look like PAN is creating the list correctly. IE its blank. I guess I would want to use the o365-worldwide-any-miner ?
01-28-2020 01:35 PM - edited 01-28-2020 01:38 PM
As you can see the list is empty on the device but if I go to that URL it shows all the O365 IPs. I am also referencing it on a security policy but it still won't populate. I am using Panorama to do this if that matters,
youandme@fw3060-678876(active)> request system external-list show type ip name
o365-IPv4 o365-IPv4
o365-IPv4-01 o365-IPv4-01
o365-IPv6 o365-IPv6
<name> <name>
admin@fw1-3060-qts(active)> request system external-list show type ip name o365-IPv4-01
Server error : external dynamic list file either empty or not found
https://youriphere/feeds/o365-any-any-ipv4-feed
101.28.252.0-101.28.252.255
103.9.8.0-103.9.11.255
112.25.33.0-112.25.33.255
115.231.150.0-115.231.150.255
123.150.49.0-123.150.49.255
123.235.32.0-123.235.32.255
125.65.247.0-125.65.247.255
139.217.17.219-139.217.17.219
139.217.19.156-139.217.19.156
139.217.21.3-139.217.21.3
139.217.25.244-139.217.25.244
139.219.145.0-139.219.145.31
139.219.146.0-139.219.146.255
139.219.156.0-139.219.159.255
139.219.16.0-139.219.16.31
139.219.17.0-139.219.17.255
139.219.24.0-139.219.27.255
168.63.252.62-168.63.252.62
171.107.84.0-171.107.84.255
171.111.154.0-171.111.154.255
..............
01-28-2020 01:54 PM - edited 01-28-2020 02:05 PM
More digging shows this in the logs although not sure if its relevant because I still can't get the list to populate:
description contains 'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: o365-IPv4-01, EDL Source URL: https://youriphere/feeds/o365-any-any-ipv4-feed, CN: please use a real certificate, Reason: unable to get local issuer certificate
( description contains 'EDL(o365-IPv4-01) No changes to authentication status, still failing. ' )
The cert I used was the godaddy one from the mine meld install walk through that you wrote @lmori :
01-29-2020 06:27 AM - edited 01-29-2020 06:32 AM
Still fighting this issue. I tried your self signed cert as well from github and now I get a different error message when attempting to authenticate to minemeld using that cert profile:
description contains 'EDL server certificate authentication failed....Reason: SSL peer certificate or SSH remote key was not OK'
Update: So I changed the URL to include the server name instead of the IP address of minemeld and that seems to have fixed it. I can see the IPs and URLs now and all is well again. So:
https://minemeld.mydomain.com/feeds/o365-any-any-ipv4-feed vs https://10.10.10.1/feeds/o365-any-any-ipv4-feed
First one works, second does not after generating the self signed cert on minemeld itself.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
