Firewall blocking outbound Office/Windows 10 traffic

Problem

Windows 10 and MS Office have a large number of addresses they attempt to access over port 80 and 443. Much of this ignores the client proxy configuration.

Sophos UTM > Network Protection > Top Dropped Destination Services/Hosts

  1. a23-2-87-17.deploy.static.akamaitechnologies.com
  2. a104-64-234-58.deploy.static.akamaitechnologies.com
  3. a23-41-185-26.deploy.static.akamaitechnologies.com
  4. a96-17-229-36.deploy.static.akamaitechnologies.com
  5. a23-5-230-228.deploy.static.akamaitechnologies.com

All of these have CNAMES on Microsoft domains.

How do I allow this traffic without having to manually allow every single IP address? There are probably hundreds, if not thousands, of addresses MS/Akamai can use. I need to be able to use a DNS wildcard, but that only seems to be an option on the Web Filtering.

Can I force this traffic through the web filter and allow unauthenticated access somehow? There are dozens of domains here. How are other people using Sophos UTM dealing with this sort of outbound traffic?

https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1803-non-enterprise-editions

https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1803-endpoints

https://docs.microsoft.com/en-us/office365/enterprise/managing-office-365-endpoints

  • Did you try to use different methods of implementing proxy settings in Windows 10? For example some services ignore the “user setting” and listen for example on netsh winhttp set proxy <proxy>:<port>.

    Some people are happy if not every date is transferred to a big vendor, covered under the term telemetry.

    BR

    Alex

  • Hi and welcome to the UTM Community!

    Please show one or two representative lines from the full Firewall log (not the Live Log).

    Cheers - Bob

  • In reply to BAlfson:

    Here are some examples. Unblocking one IP address is not a valid resolution. I've gone down that road and there are hundreds of addresses Microsoft can send this traffic to.

    Our UTM network protection is flooding with hundreds of thousands of these requests from clients to various addresses.

    2020:05:22-03:23:41 gateway-2 ulogd[14459]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="18:8b:9d:98:e8:c7" dstmac="00:1a:8c:f0:bd:80" dstip="104.67.81.83" proto="6" length="48" tos="0x00" prec="0x00" ttl="123" srcport="65291" dstport="80" tcpflags="SYN"
    2020:05:22-03:23:41 gateway-2 ulogd[14459]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="18:8b:9d:98:e8:c7" dstmac="00:1a:8c:f0:bd:80" dstip="104.67.81.83" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="50418" dstport="80" tcpflags="SYN"
    2020:05:22-03:23:41 gateway-2 ulogd[14459]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="18:8b:9d:98:e8:c7" dstmac="00:1a:8c:f0:bd:80" dstip="104.67.81.83" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="60418" dstport="80" tcpflags="SYN"
    2020:05:22-03:23:41 gateway-2 ulogd[14459]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="18:8b:9d:98:e8:c7" dstmac="00:1a:8c:f0:bd:80" dstip="104.67.81.83" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="63120" dstport="80" tcpflags="SYN"
    2020:05:22-03:23:42 gateway-2 ulogd[14459]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="18:8b:9d:98:e8:c7" dstmac="00:1a:8c:f0:bd:80" dstip="104.67.81.83" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="51942" dstport="80" tcpflags="SYN"

  • In reply to A Warre:

    fwrule="60002" means there's no firewall rule allowing such traffic.  I would do something like 'Internal (Network) -> Web Surfing -> Internet IPv4 : Allow'.

    To run it through Web Filtering, you would need a Profile in Transparent mode.  If you want to explore that, please start an appropriately-titled thread in the Web Protection forum.

    Cheers - Bob