07-31-2020 06:09 AM
Hi community
I have a question in-regards to URL blocking. I want to set a rule in policy that would allow me to block all website access except for specific websites, AD users need such as email (owa/outlook client), ticketing system (spiceworks), etc..
How would you guys approach this? The way I have done this is but creating an allow rule to the websites they need access to, and right under creating a block rule with "ANY", however, I have noticed ALLOWED websites are loading very slow, and Outlook takes 5 minutes on its initial boot-up. What am I doing wrong here and is there a better way to approach this?
Thank you in advance
07-31-2020 06:46 AM
08-06-2020 09:04 AM
Hello Mohammed
We are not using any SSL with this policy.
It's a simple policy that allows internet access to all users, except for specific AD users, that have a "denied ANY" except for couple of websites that I have allowed specifically for these users, placed above this block ANY rule. However, these allowed websites are taking a long time to load, taking up to almost 2-5 minutes. We are also noticing Office 365 online portal doesn't take us to the next steps after sign-in because it's using different URLs in the back-end (for authentication). I hoped by just allowing "microsoft.com, office365.com or outlook.com, etc." would help but like I said there are more urls involved and it sucks I have to go in and allow more and urls just to get one website to work properly. Please let me know if you or anyone else has encountered this issue
Thanks!
08-06-2020 06:38 PM
08-07-2020 07:20 AM
I found the Microsoft page with their URL's and IP addresses, there are a lot of addresses and I think URL filtering only supports max up to 50 entries. Do you know if FMC supports wildcards? I may have to shorten a few of them to fit these requirements. Ex. *.microsoft.com
I do have a policy that does Incoming/Outgoing File inspection but nothing else I see that could be impacting this. I don't understand why this would only effect the AD users specified, all other users excluded from this list have no issues, could this be an issue on the AD end and if so, I can't think of reasons why? :/
Thanks!
08-07-2020 07:56 AM
There's a Github repo that has a project for downloading the Microsoft URLs in to FMC as an object which can then be used as needed in an Access Control Policy.
Have a look at it here:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: