Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 23 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 3858 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

smtp.office365.com - fw rule

MOl

Hello, 

I have two XGS2300 in A/P HA (SFOS 19.0.0 GA-Build317)

I have problem with firewall rule that allow TCP: 587 to fqdn smtp.office.365.com from internal LAN

from time to time traffic did not match this rule because firewall has problem to use/resolve all IP address that is hosted by fqdn smtp.office365.com

Look at attach:

   -  in "smtp.office365.com-DNSresolveBySophosFW.jpg" you can see most of IP addesses resolved from fqdn smtp.office36 5.com

   - in "smtp.office365.com-blockedByFirewall.jpg" you can see that traffic from 10.0.84.20 > 40.99.150.82 TCP 587 is not matched by fw rule for smtp.office365.com

for this moment i had to add "Any" as destination instead of "smtp.office365.com" any idea?



This thread was automatically locked due to age.
  • 0 in reply to Vivek Jagad

    Of course NAT is already in place, becouse some email can pass....

    Main problem is that firewall rule (with fqdn "smtp.office365.com as destination) will not match some IPs from dns resolve of fqdn "smtp.office365.com"

  • 0 in reply to MOl

    Can you perform this steps:
    nslookup smtp.office365.com
    Domain Name Server# 127.0.0.1
    Domain Name # smtp.office365.com
    Resolved Address 1# outlook.office365.com.
    Resolved Address 1# outlook.ha.office365.com.
    Resolved Address 1# outlook.ms-acdc.office.com.
    Resolved Address 1# bom-efz.ms-acdc.office.com.
    Resolved Address 1# 40.99.9.50
    Resolved Address 2# 52.98.58.34
    Resolved Address 3# 52.98.123.226
    Resolved Address 4# 40.99.9.178
    Total query time # 58.80 msec
    Domain Name # smtp.office365.com
    Resolved Address 1# 2603:1046:c04:83a::2
    Resolved Address 2# 2603:1046:c04:80d::2
    Resolved Address 3# 2603:1046:c04:818::2
    Resolved Address 4# 2603:1046:c04:800::2
    Total query time # 21.21 msec
    ===============================
    telnet smtp.office365.com 587
    Trying 40.100.141.162...
    Connected to smtp.office365.com.
    Escape character is '^]'.
    220 BMXP287CA0013.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 18 Aug 2022 08:02:35 +0000
    helo localhost
    250 BMXP287CA0013.outlook.office365.com Hello [103.250.31.36]
    ================================
    And if you want to resolve this with the specific DNS then you may execute the following command: nslookup smtp.office365.com <DNS IP>
    =================================
    between what is the DNS config on the client machine IP: 10.0.84.20 ? 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    server 10.0.84.20 use sohosFW as DNS server

  • 0 in reply to MOl

    So can you perform the nslookup and telnet output from that client machine and start the tcpdump packet capture + diagnostics > packet capture...

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Everytime i use "nslookup smtp.office365.com" I will get different result.

    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: fra-efz.ms-acdc.office.com
    Addresses: 2603:1026:c03:6470::2
    2603:1026:c0d:34::2
    2603:1026:c03:6466::2
    52.97.157.162
    52.98.208.66
    52.97.149.242
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com


    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: hhn-efz.ms-acdc.office.com
    Addresses: 2603:1026:c0d:c02::2
    2603:1026:c0d:c1c::2
    2603:1026:c0d:82d::2
    2603:1026:c0d:82b::2
    52.98.152.162
    40.99.150.34
    40.99.214.34
    52.98.175.2
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com


    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: outlook-g.trafficmanager.net
    Addresses: 2603:1026:208:85::2
    2603:1026:c02:4012::2
    2603:1026:c03:6807::2
    2603:1026:c0a:8f6::2
    2603:1026:300:c8::2
    2603:1046:c0f:40e::2
    2603:1026:c03:581b::2
    2603:1026:6:2a::2
    40.99.150.2
    40.99.150.18
    40.99.150.50
    52.98.152.178
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com
    hhn-efz.ms-acdc.office.com
    outlook-fs.office.com


    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: outlook-g.trafficmanager.net
    Addresses: 2603:1026:208:85::2
    2603:1026:c02:4012::2
    2603:1026:c03:6807::2
    2603:1026:c0a:8f6::2
    2603:1026:300:c8::2
    2603:1046:c0f:40e::2
    2603:1026:c03:581b::2
    2603:1026:6:2a::2
    52.98.175.2
    40.101.126.210
    40.101.84.2
    52.98.18.18
    52.98.154.146
    52.97.171.194
    52.97.146.2
    40.99.26.210
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com
    HHN-efz.ms-acdc.office.com
    outlook-fs.office.com


    C:\Users\Administrator>

  • 0 in reply to MOl

    same with telnet test. With every test i will get different IP address. 

    This is OK.

  • 0 in reply to MOl

    Hello

    Can you hover the mouse on the firewall logo and share the screenshot ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to MOl

    hey , Can you check the web policy applied in the FW rule as it says: "Deny all"

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    why? this is last fw rule for logging remain non-allowed traffic.

    "DenyAll" is simple Drop "Any" "Any" rule.

    you can see full seqvence

             - #136 TCP:587 destination "smtp.office365.com"

             - # 62  TCP:587 destination "any" - temporary rule becouse rule #136 is not working correctly

             - # 1 "DennyALL" logging remain non-allowed traffic

Unfiltered HTML