Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 4427 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall blocking outbound Office/Windows 10 traffic

A Warre

Problem

Windows 10 and MS Office have a large number of addresses they attempt to access over port 80 and 443. Much of this ignores the client proxy configuration.

Sophos UTM > Network Protection > Top Dropped Destination Services/Hosts

  1. a23-2-87-17.deploy.static.akamaitechnologies.com
  2. a104-64-234-58.deploy.static.akamaitechnologies.com
  3. a23-41-185-26.deploy.static.akamaitechnologies.com
  4. a96-17-229-36.deploy.static.akamaitechnologies.com
  5. a23-5-230-228.deploy.static.akamaitechnologies.com

All of these have CNAMES on Microsoft domains.

How do I allow this traffic without having to manually allow every single IP address? There are probably hundreds, if not thousands, of addresses MS/Akamai can use. I need to be able to use a DNS wildcard, but that only seems to be an option on the Web Filtering.

Can I force this traffic through the web filter and allow unauthenticated access somehow? There are dozens of domains here. How are other people using Sophos UTM dealing with this sort of outbound traffic?

https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1803-non-enterprise-editions

https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1803-endpoints

https://docs.microsoft.com/en-us/office365/enterprise/managing-office-365-endpoints



This thread was automatically locked due to age.
Parents
  • 0

    Hi and welcome to the UTM Community!

    Please show one or two representative lines from the full Firewall log (not the Live Log).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi and welcome to the UTM Community!

    Please show one or two representative lines from the full Firewall log (not the Live Log).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Here are some examples. Unblocking one IP address is not a valid resolution. I've gone down that road and there are hundreds of addresses Microsoft can send this traffic to.

    Our UTM network protection is flooding with hundreds of thousands of these requests from clients to various addresses.

    2020:05:22-03:23:41 gateway-2 ulogd[14459]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="18:8b:9d:98:e8:c7" dstmac="00:1a:8c:f0:bd:80" dstip="104.67.81.83" proto="6" length="48" tos="0x00" prec="0x00" ttl="123" srcport="65291" dstport="80" tcpflags="SYN"
    2020:05:22-03:23:41 gateway-2 ulogd[14459]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="18:8b:9d:98:e8:c7" dstmac="00:1a:8c:f0:bd:80" dstip="104.67.81.83" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="50418" dstport="80" tcpflags="SYN"
    2020:05:22-03:23:41 gateway-2 ulogd[14459]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="18:8b:9d:98:e8:c7" dstmac="00:1a:8c:f0:bd:80" dstip="104.67.81.83" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="60418" dstport="80" tcpflags="SYN"
    2020:05:22-03:23:41 gateway-2 ulogd[14459]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="18:8b:9d:98:e8:c7" dstmac="00:1a:8c:f0:bd:80" dstip="104.67.81.83" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="63120" dstport="80" tcpflags="SYN"
    2020:05:22-03:23:42 gateway-2 ulogd[14459]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="18:8b:9d:98:e8:c7" dstmac="00:1a:8c:f0:bd:80" dstip="104.67.81.83" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="51942" dstport="80" tcpflags="SYN"

  • 0 in reply to A Warre

    fwrule="60002" means there's no firewall rule allowing such traffic.  I would do something like 'Internal (Network) -> Web Surfing -> Internet IPv4 : Allow'.

    To run it through Web Filtering, you would need a Profile in Transparent mode.  If you want to explore that, please start an appropriately-titled thread in the Web Protection forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML