Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 23 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 1683 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

smtp.office365.com - fw rule

MOl

Hello, 

I have two XGS2300 in A/P HA (SFOS 19.0.0 GA-Build317)

I have problem with firewall rule that allow TCP: 587 to fqdn smtp.office.365.com from internal LAN

from time to time traffic did not match this rule because firewall has problem to use/resolve all IP address that is hosted by fqdn smtp.office365.com

Look at attach:

   -  in "smtp.office365.com-DNSresolveBySophosFW.jpg" you can see most of IP addesses resolved from fqdn smtp.office36 5.com

   - in "smtp.office365.com-blockedByFirewall.jpg" you can see that traffic from 10.0.84.20 > 40.99.150.82 TCP 587 is not matched by fw rule for smtp.office365.com

for this moment i had to add "Any" as destination instead of "smtp.office365.com" any idea?



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to MOl

    Can you perform this steps:
    nslookup smtp.office365.com
    Domain Name Server# 127.0.0.1
    Domain Name # smtp.office365.com
    Resolved Address 1# outlook.office365.com.
    Resolved Address 1# outlook.ha.office365.com.
    Resolved Address 1# outlook.ms-acdc.office.com.
    Resolved Address 1# bom-efz.ms-acdc.office.com.
    Resolved Address 1# 40.99.9.50
    Resolved Address 2# 52.98.58.34
    Resolved Address 3# 52.98.123.226
    Resolved Address 4# 40.99.9.178
    Total query time # 58.80 msec
    Domain Name # smtp.office365.com
    Resolved Address 1# 2603:1046:c04:83a::2
    Resolved Address 2# 2603:1046:c04:80d::2
    Resolved Address 3# 2603:1046:c04:818::2
    Resolved Address 4# 2603:1046:c04:800::2
    Total query time # 21.21 msec
    ===============================
    telnet smtp.office365.com 587
    Trying 40.100.141.162...
    Connected to smtp.office365.com.
    Escape character is '^]'.
    220 BMXP287CA0013.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 18 Aug 2022 08:02:35 +0000
    helo localhost
    250 BMXP287CA0013.outlook.office365.com Hello [103.250.31.36]
    ================================
    And if you want to resolve this with the specific DNS then you may execute the following command: nslookup smtp.office365.com <DNS IP>
    =================================
    between what is the DNS config on the client machine IP: 10.0.84.20 ? 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to Vivek Jagad

    server 10.0.84.20 use sohosFW as DNS server

  • 0 in reply to MOl

    So can you perform the nslookup and telnet output from that client machine and start the tcpdump packet capture + diagnostics > packet capture...

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Everytime i use "nslookup smtp.office365.com" I will get different result.

    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: fra-efz.ms-acdc.office.com
    Addresses: 2603:1026:c03:6470::2
    2603:1026:c0d:34::2
    2603:1026:c03:6466::2
    52.97.157.162
    52.98.208.66
    52.97.149.242
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com


    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: hhn-efz.ms-acdc.office.com
    Addresses: 2603:1026:c0d:c02::2
    2603:1026:c0d:c1c::2
    2603:1026:c0d:82d::2
    2603:1026:c0d:82b::2
    52.98.152.162
    40.99.150.34
    40.99.214.34
    52.98.175.2
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com


    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: outlook-g.trafficmanager.net
    Addresses: 2603:1026:208:85::2
    2603:1026:c02:4012::2
    2603:1026:c03:6807::2
    2603:1026:c0a:8f6::2
    2603:1026:300:c8::2
    2603:1046:c0f:40e::2
    2603:1026:c03:581b::2
    2603:1026:6:2a::2
    40.99.150.2
    40.99.150.18
    40.99.150.50
    52.98.152.178
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com
    hhn-efz.ms-acdc.office.com
    outlook-fs.office.com


    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: outlook-g.trafficmanager.net
    Addresses: 2603:1026:208:85::2
    2603:1026:c02:4012::2
    2603:1026:c03:6807::2
    2603:1026:c0a:8f6::2
    2603:1026:300:c8::2
    2603:1046:c0f:40e::2
    2603:1026:c03:581b::2
    2603:1026:6:2a::2
    52.98.175.2
    40.101.126.210
    40.101.84.2
    52.98.18.18
    52.98.154.146
    52.97.171.194
    52.97.146.2
    40.99.26.210
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com
    HHN-efz.ms-acdc.office.com
    outlook-fs.office.com


    C:\Users\Administrator>

  • 0 in reply to MOl

    same with telnet test. With every test i will get different IP address. 

    This is OK.

  • 0 in reply to MOl

    Hello

    Can you hover the mouse on the firewall logo and share the screenshot ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to MOl

    hey , Can you check the web policy applied in the FW rule as it says: "Deny all"

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    why? this is last fw rule for logging remain non-allowed traffic.

    "DenyAll" is simple Drop "Any" "Any" rule.

    you can see full seqvence

             - #136 TCP:587 destination "smtp.office365.com"

             - # 62  TCP:587 destination "any" - temporary rule becouse rule #136 is not working correctly

             - # 1 "DennyALL" logging remain non-allowed traffic

  • 0 in reply to MOl

    Hi,

    on my XG, 587 was not part of the smtps service definition, I had to add it.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    my XGS already have this definition.

Unfiltered HTML