Block Internet access
Hi,
I'd like to block Internet access for VLAN 20 on our network, but authorize this VLAN 20 to access outlook.office.com
How to proceed?
Thank you in advance for your help
0
Sign In to comment.
Hi,
I'd like to block Internet access for VLAN 20 on our network, but authorize this VLAN 20 to access outlook.office.com
How to proceed?
Thank you in advance for your help
Answers
Have a pair of policies for HTTPS & HTTP from VLAN20.
1) HTTPS proxy or packet filter From: VLAN20 To: FQDN = outlook.office.com
2) HTTPS packet filter From: VLAN20 To: Any-external, set to Denied
Make sure that policy 2 ends up below policy 1 in your config.
Do the same for HTTP.
And make sure that these policies end up above any other general policy which allows HTTPS & HTTP.
There may be more domains which need to be added here, so look in Traffic Monitor for denied when setting this up.
For testing purposes, you can use a test IP addr in the From field to make sure that you have allow of the domain names needed before rolling this into production.
Hi Bruce_Briggs
Thank you for your reply.
I followed the procedure you gave me with HTTP & https proxy. Internet access is now blocked but users who have computers in this vlan 20 do not have access to their e-mail via outlook web access. I've even added in the rule the following domains outlook.office.com; outlook.office365.com; office.com; microsoft365.com to test but e-mail access still doesn't work.
Do you have any other suggestions to help me please?
Thank you
What else is shown in Traffic Monitor as being blocked when trying to access e-mail via outlook web access for the test IP addr?
Hi
I have attached a Screenshot of traffic monitor output when the test IP address trying to access e-mail via outlook web access.
what is your analysis please
Note that I have hidden the private information
Thanks
There is no way to directly understand the domain names being accessed from a list of Microsoft IP addrs being denied.
Add a DNS proxy - From: the test IP addr To: Any external
On the proxy action, Query Names, set Default to Log.
Make sure that this DNS policy is above any other DNS policy in your config.
Then you should see domain names which are being accessed in Traffic Monitor, which should help resolve this.
Hi @Zed24
The deny logs suggest that your allow rule (which is likely above that rule) isn't picking up your traffic.
-Do the addresses you're seeing resolve to the domains you allowed?
-Is the firewall able to see DNS queries made by your client PCs?
-Are other assets the webpage needs to load being accounted for in your rule?
-James Carson
WatchGuard Customer Support
Hi
@Bruce_Briggs: I added the DNS proxy. In Traffic Monitor I can see that the domains outlook.office.com and login.microsoftonline.com are allowed. So access to e-mail should work, but it still doesn't.
@james.carson
I couldn't see the DNS requests from the client PCs in the firewall. Can you tell me how to do this in the firebox please?
My rule block internet access only. No change for the rest.
Thanks
Do you have in internal DNS server being used by the test PC?
If so, then can you change the test PC to use a public DNS server such as 1.1.1.1 ?
Yes we have an internal DNS server.
I changed the DNS on the test PC to 1.1.1.1 and 8.8.8.8 but that didn't solve the problem.
Thanks
So you are not seeing and DNS log entries in Traffic Monitor for the test IP addr?
Review this:
Microsoft 365 URLs and IP address ranges
https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
I see the log entries in traffic monitor. It's the email access that isn't working in spite of the changes I've made.
I'll check the link sent to me
Thank you for your help