Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1196
Views
5
Helpful
3
Replies

Looking for suggestion on dealing with Microsoft O365 bypass with FMC

m1xed0s
Spotlight
Spotlight

‎12-13-2022 10:30 AM - edited ‎12-14-2022 10:20 AM

I do not think I am the first one ran into this...but in order to avoid performance issue with Microsoft O365, especially the Teams, I had to put bunch of Microsoft addresses as destination into an object group in the prefilter rule...So essentially bypass the firewall for those traffic. This is fine if the the Microsoft addresses would stay static...So I started looking for ways to automate the process to grab new Microsoft addresses for FMC and deploy to my FTDs safely. There are three options I checked/tested and none of them is perfect. 

#1, using the script published here

This is by-far the easiest and it gives me both the IP as well as URLs. But the challenges are: The FMC API login credential would be saved clear text on the server running the script; I have not figure out a consistent way to receive notification that change has been made and FMC is pending for deployment...I guess I could modify the script to send me an email if any new addresses/urls been added...and then login to conduct manual deployment.

#2, using Cisco Secure Dynamic Attributes Connector

This is a good option but it only obtains the IP addresses...For what I am trying to accomplish, I guess it is fine and also I do not have to login to FMC for configuration deployment if any new addresses have been added. But the challenge is I can not use the Dynamic Objects in the prefileter rules...I could use the dynamic objects in the ACP rule with action Trust but I worry it would still break certain applications, like SIP...

#3, using SecureX orchestration workflow, here

This option is pretty much the same as #2 for the results as well as challenges but it would also require additional security licenses...

So is there any other options I should check for my simple task OR I am pretty much stuck with semi-automatic approach for now? 

0 Helpful
3 Replies 3

Divya Jain
Cisco Employee
Cisco Employee

‎01-11-2023 11:55 PM

Hi,
you can also make use of the App detector feature that will help you fast path the traffic.
Here is a link to 1 of the PPT's which covers all the different methods : 

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3433.pdf

""
Page 35-37

• Office 365 App Detector • Works based on Common Name in Certificate

• Uses the FQDN list managed by Microsoft in the backend.

• Updates come through the VDB update every month

""


Other than that yes make use of the API's and microsoft published lists
Microsoft publishes a list with URL, IPv4 and IPv6 addresses that are used for the infrastructure of the Microsoft cloud applications (e.g. Office 365).



-----------------------------------------
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------


Regards,
Divya Jain

m1xed0s
Spotlight
Spotlight
In response to Divya Jain

‎01-12-2023 05:29 AM

Thanks for the infor. I was considering the Trust action but the limitation is "Some protocols, such as FTP and SIP, use secondary channels, which the system opens through the process of inspection. In some cases, trusted traffic can bypass all inspection, and these secondary channels cannot be opened properly. If you run into this problem, change the trust rule to Allow." according to admin guide...

Not too concerned about FTP but SIP is more related to MS Teams, isnt it? This is why I did not even list it as an option in the post.

0 Helpful

Divya Jain
Cisco Employee
Cisco Employee
In response to m1xed0s

‎01-16-2023 09:39 PM

Hi,
SIP is Session initiation protocol and is a communication protocol.  Port ranges on type of communictaions in your environmnet like it could be audio, video , chat etc. So if you are using Trust action, you can create it like a pre filter rule based on your specific application usage and not generic SIP / FTP usage.


Regards,
Divya Jain

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card