PBF for Office 365

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PBF for Office 365

L1 Bithead

Hi all,

 

One of our startegic customer is requesting the possibility to route just the O365 traffic to a specific link and after researching about this I think that the best is using MineMeld to automatically feed a list of application IP adrress but I did't find any documentation describing how to perform this.

 

Any of you have used the MineMeld to monitor the O365 address and imput this into PANW and can share some details with me?

 

Thank you and regards,

 

1 accepted solution

Accepted Solutions

Hi rrunge1,

Microsoft splits the IP addresses and URLs used for O365 in 17 different lists, one for each O365 service.

Each service has a corresponding Miner in MineMeld. If you want to gather all the IPs you need all the Miners. Basically your graph should look like this one:

 

Screen Shot 2016-05-25 at 10.08.47.png

You can download the config here:

https://paloaltonetworks.box.com/s/4ubmkgrq72a8mdd24j733ddqdgbkyvv4

 

To use it you should:

- upload the file to the VM via SCP or SFTP (you can use Filezilla on Windows)

- login into the VM via SSH

- and then

$ sudo -u minemeld cp office365-config.yml /opt/minemeld/local/config/committed-config.yml
$ sudo service minemeld restart

 

luigi

View solution in original post

15 REPLIES 15

L7 Applicator

We at least one customer using PBF with IP list dynamically downloaded via DBL to route O365 traffic over a specific link. They are not using MineMeld yet, but its predecessor https://panwdbl.appspot.com.

So yes, I would definitely test and use MineMeld for this scenario.

Imori, can you share how they are using DBL to do this?


@lmori wrote:

We at least one customer using PBF with IP list dynamically downloaded via DBL to route O365 traffic over a specific link. They are not using MineMeld yet, but its predecessor https://panwdbl.appspot.com.

So yes, I would definitely test and use MineMeld for this scenario.


 

Hi rrunge1,

you can use a DBL as target for the PBF rule. DBL is populated with O365 IP addresses by O365 Miners.

 

luigi


@lmori wrote:

Hi rrunge1,

you can use a DBL as target for the PBF rule. DBL is populated with O365 IP addresses by O365 Miners.

 

luigi


Luigi,

 

I created the miner using the prototype Office365.O365  but apparently there are some IPs missing  in the default list comparing from: https://support.content.office.net/en-us/static/O365IPAddresses.xml aren't part of Office365.O365 miner.

 

I tried to customize the prototype using the address above and could collect more than 1000 indicators from the xml but the processor doesn't understand the format. 

 

 

Hi rrunge1,

Microsoft splits the IP addresses and URLs used for O365 in 17 different lists, one for each O365 service.

Each service has a corresponding Miner in MineMeld. If you want to gather all the IPs you need all the Miners. Basically your graph should look like this one:

 

Screen Shot 2016-05-25 at 10.08.47.png

You can download the config here:

https://paloaltonetworks.box.com/s/4ubmkgrq72a8mdd24j733ddqdgbkyvv4

 

To use it you should:

- upload the file to the VM via SCP or SFTP (you can use Filezilla on Windows)

- login into the VM via SSH

- and then

$ sudo -u minemeld cp office365-config.yml /opt/minemeld/local/config/committed-config.yml
$ sudo service minemeld restart

 

luigi

Thanks Luigi, i's working now!

Great ! Thanks for letting me know !

Is this safe without overwriting the other configurations in place?

Hi chirsf,

you should merge the 2 configs by hand:

- sudo -u minemeld vi /opt/minemeld/local/config/committed-config.yml

- the config format is straightforward, it's basically a list of nodes:

nodes:
    node1:
        [...]
    node2:
        [...]

- you should append the list of nodes from the O365 config files to the list of nodes of the current committed-config:

nodes:
    node1:
        [...]
    node2:
        [...]
    o365:
        [...]
    ...

- restart minemeld service "sudo service minemeld restart"

So just delete the nodes: entry and then cat file >> otherfile ?

yes, that should work 🙂

 

So the fun part is it shows up in the nodes section, but not in the config. It does work and does pull the data down.

Aha I had to hit load. All good now.

 

Is that file the only thing you really need to restore the system should you have to reimage or rebuild?

All the information you need to rebuild the instance is stored under /opt/minemeld/local/config.

You may also want to backup local/data (after stopping minemeld-engine) if you want to save the current set of indicators.

  • 1 accepted solution
  • 17920 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!