This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

O365 Slow/Timing Out when AntiSpyware and/or AntiVirus profile applied to Policy.

birkhojk
L2 Linker

‎09-30-2016 10:40 AM - edited ‎09-30-2016 10:53 AM

Good Afternoon:

 

A couple days ago, we started having a very strange issue whereby O365 would sporatically work and/or not work.  Particularly, it would time ou t saying o365 is not responding or generally the Browser (Chrome, Firefox, or IE/Edge) would just freeze up for quite a while.  Sometimes it would break free.

 

That said, I first troubleshooted by disabling the SSL Decryption rule... and/or enabling it.  Simply put it made no difference.

 

Next, I ensured that there is nothing being Country Blocked.  Then I searched the Threat area... nothing.

 

My security policy is setup as follows:

Name: Allow Office 365 | interzone | Zone: Inside | Address: Any | User: Any >>TO>> Zone: Outside| Address: Any |Application: ms-office365, office-on-demand, outlook-web-online, ssl, web-browsing | Service: application-default   ALLOW

 

Directly above it is the same rule (cloned), but the Application types are:

office365-consumer-access, office365-enterprise-acceess

 

****************

 

Regardless I started turning off individual security profile components, but if either the Spyware or AntiVirus subscription components are active, it locsk up for a long time.  Ironically, this happens even if they are set to monitoring whereby the simply make Alerts.

 

Now what's stragner is after setting both of these to None, if I change them back, any user who started working will NOT generally have a problem for about five minutes OR unless they open a different browser.  My supposition is that something is cached.

 

Not really sure what is happening only it does tend to stem from my Palo Alto.

 

Has anyone else seen this behavior and/or have any suggestions?

 

 

************

I probably should mention my AntiVirus settings for my monitor Profile are ALL set to "alert" for http, smtp, imap, pop3, ftp, smb, etc.   My other AV profile, which does stop viruses etc does a reset-both on all the above items.  Only the profile that does reset-both does a packet capture.


For my Spwyare monitoring profile, I have it setup as follows:

simple-critical, critical, alert, single-packet

simple-high, high, alert, single-packet

simple-medium, medium, alert, single-packet

simple-low, low, alert, disable

simple-informational, informational, alert, disable

 

On the Anti-Spyare DNS Signatures tab I have it Singhole two (3) Dynamic Domain Lists:

Specifically:

Palo Alto Networks DNS Signatures (default built-in)

RansomeWare Domain Blocklist https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt

MalwareDomains Domain BL http://mirror1.malwaredomains.com/files/justdomains

 

I have it set to do an extended-capture and enable passive DNS Monitoring

2 people had this problem.
0 Likes Likes
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks