Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 23 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 1664 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

smtp.office365.com - fw rule

MOl

Hello, 

I have two XGS2300 in A/P HA (SFOS 19.0.0 GA-Build317)

I have problem with firewall rule that allow TCP: 587 to fqdn smtp.office.365.com from internal LAN

from time to time traffic did not match this rule because firewall has problem to use/resolve all IP address that is hosted by fqdn smtp.office365.com

Look at attach:

   -  in "smtp.office365.com-DNSresolveBySophosFW.jpg" you can see most of IP addesses resolved from fqdn smtp.office36 5.com

   - in "smtp.office365.com-blockedByFirewall.jpg" you can see that traffic from 10.0.84.20 > 40.99.150.82 TCP 587 is not matched by fw rule for smtp.office365.com

for this moment i had to add "Any" as destination instead of "smtp.office365.com" any idea?



This thread was automatically locked due to age.
Parents
  • 0

    Hello ,

    Thank you for reaching out to the community, ensure the fw rule created is on the top !
    You can also add them into the exceptions:
    1.) Office 365 URLs and IP address ranges - https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
    2.) Configure web exceptions for Office 365 - https://support.sophos.com/support/s/article/KB-000038173?language=en_US

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hello #Vivek,

    I already have this and do not have any affect.

    Main problem is that firewall rule (with fqdn "smtp.office365.com as destination) will not match all IPs from dns resolve of fqdn "smtp.office365.com"

    MOl

  • 0 in reply to MOl

    So can you perform the nslookup and telnet output from that client machine and start the tcpdump packet capture + diagnostics > packet capture...

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Everytime i use "nslookup smtp.office365.com" I will get different result.

    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: fra-efz.ms-acdc.office.com
    Addresses: 2603:1026:c03:6470::2
    2603:1026:c0d:34::2
    2603:1026:c03:6466::2
    52.97.157.162
    52.98.208.66
    52.97.149.242
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com


    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>
    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: hhn-efz.ms-acdc.office.com
    Addresses: 2603:1026:c0d:c02::2
    2603:1026:c0d:c1c::2
    2603:1026:c0d:82d::2
    2603:1026:c0d:82b::2
    52.98.152.162
    40.99.150.34
    40.99.214.34
    52.98.175.2
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com


    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: outlook-g.trafficmanager.net
    Addresses: 2603:1026:208:85::2
    2603:1026:c02:4012::2
    2603:1026:c03:6807::2
    2603:1026:c0a:8f6::2
    2603:1026:300:c8::2
    2603:1046:c0f:40e::2
    2603:1026:c03:581b::2
    2603:1026:6:2a::2
    40.99.150.2
    40.99.150.18
    40.99.150.50
    52.98.152.178
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com
    hhn-efz.ms-acdc.office.com
    outlook-fs.office.com


    C:\Users\Administrator>nslookup smtp.office365.com
    Server: UnKnown
    Address: 10.0.84.1

    Non-authoritative answer:
    Name: outlook-g.trafficmanager.net
    Addresses: 2603:1026:208:85::2
    2603:1026:c02:4012::2
    2603:1026:c03:6807::2
    2603:1026:c0a:8f6::2
    2603:1026:300:c8::2
    2603:1046:c0f:40e::2
    2603:1026:c03:581b::2
    2603:1026:6:2a::2
    52.98.175.2
    40.101.126.210
    40.101.84.2
    52.98.18.18
    52.98.154.146
    52.97.171.194
    52.97.146.2
    40.99.26.210
    Aliases: smtp.office365.com
    outlook.office365.com
    outlook.ha.office365.com
    outlook.ms-acdc.office.com
    HHN-efz.ms-acdc.office.com
    outlook-fs.office.com


    C:\Users\Administrator>

  • 0 in reply to MOl

    same with telnet test. With every test i will get different IP address. 

    This is OK.

  • 0 in reply to MOl

    Hello

    Can you hover the mouse on the firewall logo and share the screenshot ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to MOl

    hey , Can you check the web policy applied in the FW rule as it says: "Deny all"

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    why? this is last fw rule for logging remain non-allowed traffic.

    "DenyAll" is simple Drop "Any" "Any" rule.

    you can see full seqvence

             - #136 TCP:587 destination "smtp.office365.com"

             - # 62  TCP:587 destination "any" - temporary rule becouse rule #136 is not working correctly

             - # 1 "DennyALL" logging remain non-allowed traffic

  • 0 in reply to MOl

    Hi,

    on my XG, 587 was not part of the smtps service definition, I had to add it.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    my XGS already have this definition.

  • 0 in reply to MOl

    I've seen this behaviour a couple of times, I tried finding the cause with the help of Sophos Support but it proved fruitless. It didn't happen often enough to justify spending the time debugged the logs - we just switched to use the IP ranges on the firewall rule and moved on with life. Probably not the silver bullet you were hoping for,..

    Regards

Reply
  • 0 in reply to MOl

    I've seen this behaviour a couple of times, I tried finding the cause with the help of Sophos Support but it proved fruitless. It didn't happen often enough to justify spending the time debugged the logs - we just switched to use the IP ranges on the firewall rule and moved on with life. Probably not the silver bullet you were hoping for,..

    Regards

Children
No Data
Unfiltered HTML