Who Me Too'd this topic

Hey,

If at all possible, please could I ask for some input on the best way I try allow M365 office installs (from their CDN) and Windows updates to our endpoints even though we are not using SSL decryption at the moment?

We currently have a policy rule to allow outbound web traffic, matching:

• any dest
• service http/https.
• security profile applied to it that includes the basic file blocking profile (that will stop DLL, cab and Win PE files - all used in Windows updates or Office installs).

Above that, in my Palo ignorance, I've introduced another rule that I was hoping would match Windows update traffic and Office 365 installs. This is set to allow:

• any dest
• match the apps ms-update, ssl and web-browsing
• application default service
• Modified file blocking profile to allow but alert on cab, dll and Win PE files for above app-ids
• URL category including the URLs at the bottom of the post

My question is more about Office at the moment as we need to deploy it - any time we try to deploy an Office app the traffic matches the standard 'Outbound web traffic' rule and normal file blocking denies it. Even though it is categorised as in the Office update URL list (file URL starts with officecdn....) and matches the ms-update or web-browsing app-ids, that are in my allow rule.

Any ideas?

Hope that made sense and sorry if I've made some mistakes, I am new to Palo.

Custom URL categories:

-Win update

windowsupdates.microsoft.com

*.windowsupdate.com

*.windowsupdates.microsoft.com

*.update.microsoft.com

-Office update

officecdn.microsoft.com

*.officecnd.microsoft.com