08-06-2021 09:12 AM
New to Palo Alto so might be an easy solution. Im trying to set up URL filtering to allow Office 365. Ive test the object and policy with other websites such as bbc.co.uk and sky.com so i know my policy works, however, when i add the office 365 URLs from https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world...it doesnt seem to work. Any ideas are welcomed
08-09-2021 04:25 AM
Did you add the urls to a custom url category which you then use in an url filteringnprofile or directly to a security policy rule?
What exactly does not work? Are the connections blocked to office365? Isn't the traffic using the rule you think it should (the one where you use the office365 urls)? Or does it show some ither errors / problems?
08-11-2021 03:01 AM
Hi @vsys_remo ,
I added the URLs from the Microsoft website to a custom URL category and then used in a URL filtering profile which i assigned to a policy. The problem seems to be that whenever it goes to login to Office 365 the site is still blocked. My aim is to deny all internet traffic apart from specific sites such as O365.
I know the rule works for other addresses such as bbc.co.uk but doesnt work while authenticating with O365
08-11-2021 03:31 AM
Did you add all the urls from that url in your first post in this topic? Including login.microsoftonline.com (which probably is the most important one for the login)?
08-11-2021 03:48 AM
08-11-2021 03:51 AM
When you check the logs for this connection, does it hit the security policy rule where you added the custom url category?
08-11-2021 03:58 AM
When i monitor it i see it attempting to get to 'ms-office365-base' application but its ended with policy-deny
08-11-2021 05:45 AM - edited 08-11-2021 06:06 AM
And you did allow this application in the policy? If yes, then I would change your setup a little bit - at least for troubleshooting.
This way I assume the access will work and you will see in the URL logs which URLs are missing in your custom category.
08-11-2021 06:02 AM
I think ive got it sorted now. added ms-office365 to the applications on the rule and its allowing it through now. Thanks for your help @vsys_remo , much appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!