O365 Slow/Timing Out when AntiSpyware and/or AntiVirus profile applied to Policy.

Reply
L1 Bithead

O365 Slow/Timing Out when AntiSpyware and/or AntiVirus profile applied to Policy.

Good Afternoon:

 

A couple days ago, we started having a very strange issue whereby O365 would sporatically work and/or not work.  Particularly, it would time ou t saying o365 is not responding or generally the Browser (Chrome, Firefox, or IE/Edge) would just freeze up for quite a while.  Sometimes it would break free.

 

That said, I first troubleshooted by disabling the SSL Decryption rule... and/or enabling it.  Simply put it made no difference.

 

Next, I ensured that there is nothing being Country Blocked.  Then I searched the Threat area... nothing.

 

My security policy is setup as follows:

Name: Allow Office 365 | interzone | Zone: Inside | Address: Any | User: Any >>TO>> Zone: Outside| Address: Any |Application: ms-office365, office-on-demand, outlook-web-online, ssl, web-browsing | Service: application-default   ALLOW

 

Directly above it is the same rule (cloned), but the Application types are:

office365-consumer-access, office365-enterprise-acceess

 

****************

 

Regardless I started turning off individual security profile components, but if either the Spyware or AntiVirus subscription components are active, it locsk up for a long time.  Ironically, this happens even if they are set to monitoring whereby the simply make Alerts.

 

Now what's stragner is after setting both of these to None, if I change them back, any user who started working will NOT generally have a problem for about five minutes OR unless they open a different browser.  My supposition is that something is cached.

 

Not really sure what is happening only it does tend to stem from my Palo Alto.

 

Has anyone else seen this behavior and/or have any suggestions?

 

 

************

I probably should mention my AntiVirus settings for my monitor Profile are ALL set to "alert" for http, smtp, imap, pop3, ftp, smb, etc.   My other AV profile, which does stop viruses etc does a reset-both on all the above items.  Only the profile that does reset-both does a packet capture.


For my Spwyare monitoring profile, I have it setup as follows:

simple-critical, critical, alert, single-packet

simple-high, high, alert, single-packet

simple-medium, medium, alert, single-packet

simple-low, low, alert, disable

simple-informational, informational, alert, disable

 

On the Anti-Spyare DNS Signatures tab I have it Singhole two (3) Dynamic Domain Lists:

Specifically:

Palo Alto Networks DNS Signatures (default built-in)

RansomeWare Domain Blocklist https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt

MalwareDomains Domain BL http://mirror1.malwaredomains.com/files/justdomains

 

I have it set to do an extended-capture and enable passive DNS Monitoring

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!