A couple days ago, we started having a very strange issue whereby O365 would sporatically work and/or not work. Particularly, it would time ou t saying o365 is not responding or generally the Browser (Chrome, Firefox, or IE/Edge) would just freeze up for quite a while. Sometimes it would break free.
That said, I first troubleshooted by disabling the SSL Decryption rule... and/or enabling it. Simply put it made no difference.
Next, I ensured that there is nothing being Country Blocked. Then I searched the Threat area... nothing.
My security policy is setup as follows:
Name: Allow Office 365 | interzone | Zone: Inside | Address: Any | User: Any >>TO>> Zone: Outside| Address: Any |Application: ms-office365, office-on-demand, outlook-web-online, ssl, web-browsing | Service: application-default ALLOW
Directly above it is the same rule (cloned), but the Application types are:
Regardless I started turning off individual security profile components, but if either the Spyware or AntiVirus subscription components are active, it locsk up for a long time. Ironically, this happens even if they are set to monitoring whereby the simply make Alerts.
Now what's stragner is after setting both of these to None, if I change them back, any user who started working will NOT generally have a problem for about five minutes OR unless they open a different browser. My supposition is that something is cached.
Not really sure what is happening only it does tend to stem from my Palo Alto.
Has anyone else seen this behavior and/or have any suggestions?
I probably should mention my AntiVirus settings for my monitor Profile are ALL set to "alert" for http, smtp, imap, pop3, ftp, smb, etc. My other AV profile, which does stop viruses etc does a reset-both on all the above items. Only the profile that does reset-both does a packet capture.
For my Spwyare monitoring profile, I have it setup as follows:
simple-critical, critical, alert, single-packet
simple-high, high, alert, single-packet
simple-medium, medium, alert, single-packet
simple-low, low, alert, disable
simple-informational, informational, alert, disable
On the Anti-Spyare DNS Signatures tab I have it Singhole two (3) Dynamic Domain Lists:
Palo Alto Networks DNS Signatures (default built-in)
RansomeWare Domain Blocklist https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
MalwareDomains Domain BL http://mirror1.malwaredomains.com/files/justdomains
I have it set to do an extended-capture and enable passive DNS Monitoring
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!