04-13-2020 11:08 PM
I've talked multiple times to PA support, but also Microsoft support.
from what i've learned, excluding all the office365 ranges should work to some extend, but not in all instances.
I've excluded all the ranges (see below current output from my minemeld instance).
Office365/teams uses it's own routing protocol(!!!) and bypasses the installed routes by global protect. This results in teams still routed through the VPN tunnel for some users. This is not a PA issue (i noticed other vendors have the same issues) but a Microsoft issue.
I've opted them implementing a fix so office365 can be forced to follow the routing table as any other normal application, but of course they are not responding.
My recommendation: use all the ranges provided (don't bother with fqdn or application executables) and log a case with Microsoft about this issue.
[code]
104.146.128.0/17 104.215.11.144 104.215.62.195 104.42.230.91 104.47.0.0/17 13.107.128.0/22 13.107.136.0/22 13.107.140.6 13.107.18.10/31 13.107.3.0/24 13.107.6.152/31 13.107.6.156/31 13.107.6.171 13.107.64.0/18 13.107.7.190/31 13.107.9.156/31 13.70.151.216 13.71.127.197 13.72.245.115 13.73.1.120 13.75.126.169 13.80.125.22 13.89.240.113 13.91.91.243 131.253.33.215 132.245.0.0/16 138.91.237.237 150.171.32.0/22 150.171.40.0/22 157.55.145.0/25 157.55.155.0/25 157.55.227.192/26 191.234.140.0/22 20.190.128.0/18 204.79.197.215 23.103.160.0/20 40.104.0.0/15 40.107.0.0/16 40.108.128.0/17 40.126.0.0/18 40.81.156.154 40.90.218.198 40.92.0.0/15 40.96.0.0/13 51.140.155.234 51.140.203.190 51.141.51.76 52.100.0.0/14 52.104.0.0/14 52.108.0.0/14 52.112.0.0/14 52.163.126.215 52.170.21.67 52.172.185.18 52.174.56.180 52.178.161.139 52.178.94.2 52.183.75.62 52.184.165.82 52.228.25.96 52.238.106.116 52.238.119.141 52.238.78.88 52.242.23.189 52.244.160.207 52.247.150.191 52.96.0.0/14 52.120.0.0/14
[/code]
