This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

smtp.office365.com - fw rule

MOl over 1 year ago

Hello,

I have two XGS2300 in A/P HA (SFOS 19.0.0 GA-Build317)

I have problem with firewall rule that allow TCP: 587 to fqdn smtp.office.365.com from internal LAN

from time to time traffic did not match this rule because firewall has problem to use/resolve all IP address that is hosted by fqdn smtp.office365.com

Look at attach:

- in "smtp.office365.com-DNSresolveBySophosFW.jpg" you can see most of IP addesses resolved from fqdn smtp.office36 5.com

- in "smtp.office365.com-blockedByFirewall.jpg" you can see that traffic from 10.0.84.20 > 40.99.150.82 TCP 587 is not matched by fw rule for smtp.office365.com

for this moment i had to add "Any" as destination instead of "smtp.office365.com" any idea?

This thread was automatically locked due to age.

Top Replies

Vivek Jagad over 1 year ago +1 suggested

Hello MOl , Thank you for reaching out to the community, ensure the fw rule created is on the top ! You can also add them into the exceptions: 1.) Office 365 URLs and IP address ranges - https://docs.microsoft…

Parents

0 Vivek Jagad over 1 year ago

Hello MOl,

Thank you for reaching out to the community, ensure the fw rule created is on the top !
You can also add them into the exceptions:
1.) Office 365 URLs and IP address ranges - https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
2.) Configure web exceptions for Office 365 - https://support.sophos.com/support/s/article/KB-000038173?language=en_US

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 MOl over 1 year ago in reply to Vivek Jagad

Hello #Vivek,

I already have this and do not have any affect.

Main problem is that firewall rule (with fqdn "smtp.office365.com as destination) will not match all IPs from dns resolve of fqdn "smtp.office365.com"

MOl
Cancel
Vote Up 0 Vote Down

Cancel
0 MOl over 1 year ago in reply to Vivek Jagad

server 10.0.84.20 use sohosFW as DNS server
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to MOl

So can you perform the nslookup and telnet output from that client machine and start the tcpdump packet capture + diagnostics > packet capture...

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 MOl over 1 year ago in reply to Vivek Jagad

Everytime i use "nslookup smtp.office365.com" I will get different result.

C:\Users\Administrator>nslookup smtp.office365.com
Server: UnKnown
Address: 10.0.84.1

Non-authoritative answer:
Name: fra-efz.ms-acdc.office.com
Addresses: 2603:1026:c03:6470::2
2603:1026:c0d:34::2
2603:1026:c03:6466::2
52.97.157.162
52.98.208.66
52.97.149.242
Aliases: smtp.office365.com
outlook.office365.com
outlook.ha.office365.com
outlook.ms-acdc.office.com

C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>nslookup smtp.office365.com
Server: UnKnown
Address: 10.0.84.1

Non-authoritative answer:
Name: hhn-efz.ms-acdc.office.com
Addresses: 2603:1026:c0d:c02::2
2603:1026:c0d:c1c::2
2603:1026:c0d:82d::2
2603:1026:c0d:82b::2
52.98.152.162
40.99.150.34
40.99.214.34
52.98.175.2
Aliases: smtp.office365.com
outlook.office365.com
outlook.ha.office365.com
outlook.ms-acdc.office.com

C:\Users\Administrator>nslookup smtp.office365.com
Server: UnKnown
Address: 10.0.84.1

Non-authoritative answer:
Name: outlook-g.trafficmanager.net
Addresses: 2603:1026:208:85::2
2603:1026:c02:4012::2
2603:1026:c03:6807::2
2603:1026:c0a:8f6::2
2603:1026:300:c8::2
2603:1046:c0f:40e::2
2603:1026:c03:581b::2
2603:1026:6:2a::2
40.99.150.2
40.99.150.18
40.99.150.50
52.98.152.178
Aliases: smtp.office365.com
outlook.office365.com
outlook.ha.office365.com
outlook.ms-acdc.office.com
hhn-efz.ms-acdc.office.com
outlook-fs.office.com

C:\Users\Administrator>nslookup smtp.office365.com
Server: UnKnown
Address: 10.0.84.1

Non-authoritative answer:
Name: outlook-g.trafficmanager.net
Addresses: 2603:1026:208:85::2
2603:1026:c02:4012::2
2603:1026:c03:6807::2
2603:1026:c0a:8f6::2
2603:1026:300:c8::2
2603:1046:c0f:40e::2
2603:1026:c03:581b::2
2603:1026:6:2a::2
52.98.175.2
40.101.126.210
40.101.84.2
52.98.18.18
52.98.154.146
52.97.171.194
52.97.146.2
40.99.26.210
Aliases: smtp.office365.com
outlook.office365.com
outlook.ha.office365.com
outlook.ms-acdc.office.com
HHN-efz.ms-acdc.office.com
outlook-fs.office.com

C:\Users\Administrator>
Cancel
Vote Up 0 Vote Down

Cancel
0 MOl over 1 year ago in reply to MOl

same with telnet test. With every test i will get different IP address.

This is OK.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to MOl

Hello MOl,

Can you hover the mouse on the firewall logo and share the screenshot ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 MOl over 1 year ago in reply to Vivek Jagad
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to MOl

hey MOl, Can you check the web policy applied in the FW rule as it says: "Deny all"

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 MOl over 1 year ago in reply to Vivek Jagad

why? this is last fw rule for logging remain non-allowed traffic.

"DenyAll" is simple Drop "Any" "Any" rule.

you can see full seqvence

- #136 TCP:587 destination "smtp.office365.com"

- # 62 TCP:587 destination "any" - temporary rule becouse rule #136 is not working correctly

- # 1 "DennyALL" logging remain non-allowed traffic
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 1 year ago in reply to MOl

Hi,

on my XG, 587 was not part of the smtps service definition, I had to add it.

ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 MOl over 1 year ago in reply to rfcat_vk

my XGS already have this definition.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 MOl over 1 year ago in reply to rfcat_vk

my XGS already have this definition.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 carbon15 over 1 year ago in reply to MOl

I've seen this behaviour a couple of times, I tried finding the cause with the help of Sophos Support but it proved fruitless. It didn't happen often enough to justify spending the time debugged the logs - we just switched to use the IP ranges on the firewall rule and moved on with life. Probably not the silver bullet you were hoping for,..

Regards
Cancel
Vote Up +1 Vote Down

Cancel