We're trying to use the IPS feature to block malicious logins from Office 365 servers back into our ADFS servers. Microsoft is proxying the traffic so we don't see the actuall original IP until after it's hit ADFS and tried to authenticate. I've got the XG inline between the ADFS and the internet and it's working to proxy the traffic now, but I haven't found the way to get a content filter signature to recognize the traffic. I have a custom rule that is content:"5.188.207."; with drop session applied to the web server application rule on the firewall. On my ADFS server I'm still seeing traffic from the 5.188.207.0 subnet knocking on the door though. I've tried looking at the pcap filter but it looks like pcap is looking at the encrypted HTTPS traffic and the decoded traffic from the proxy. Does the content rule not work on HTTPS even though it's being proxied by the firewall?
This thread was automatically locked due to age.