ACL for Office365

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I am creating a ACL that basically blocks about 240+ M$ Office365 related IP addresses so that Websense will not block the traffic.  Web traffic is coming off of a VSS tap into my Summit X460 on port 47 and then I have that mirrored to port 48 going to the Websense server. I do not want Websense to see 240+ IP addresses so I created an ACL to deny. It seems VERY hit and miss whether this works or not. It seemed pretty straight forward to me. Here is an example of the list and my ACL setup. I had to put it on the egress port because the Mirror port kept doing it's thing before anything else if I tried putting it on the incoming port 47. It works pretty well but occasionally I can see Websense getting a packet to one of the below IPs and see the RST packet which in turn blocks the user from getting to https://outlook.com or https://outlook.office365.com and various other M$ sites that have been defined to be denied. You so not see it in this snippit of the ACL but 132.245.0.0/16 is setup for outlook.office365.com 

Tap > Port 47 > Port 48 (Mirror) > Websense server

configure ports 47 display-string From_Tap
configure ports 48 display-string To_Websense
configure mirror DefaultMirror to port 48 
enable mirror DefaultMirror
configure mirror DefaultMirror add port 47 ingress-and-egress

configure access-list Office365-any ports 48 egress

entry 65.55.150.61_32 { 
if match all { 
    destination-address 65.55.150.61/32 ;
}
then {
    deny  ;
    count 65.55.150.61_32 ;
}
}
entry 65.55.150.160_32 { 
if match all { 
    destination-address 65.55.150.160/32 ;
}
then {
    deny  ;
    count 65.55.150.160_32 ;
}
}
entry 134.170.52.122_32 { 
if match all { 
    destination-address 134.170.52.122/32 ;
}
then {
    deny  ;
    count 134.170.52.122_32 ;
}
}
entry 134.170.52.123_32 { 
if match all { 
    destination-address 134.170.52.123/32 ;
}
then {
    deny  ;
    count 134.170.52.123_32 ;
}
}
entry 134.170.52.124_32 { 
if match all { 
    destination-address 134.170.52.124/32 ;
}
then {
    deny  ;
    count 134.170.52.124_32 ;
}
}
entry 157.56.138.141_32 { 
if match all { 
    destination-address 157.56.138.141/32 ;
}
then {
    deny  ;
    count 157.56.138.141_32 ;
}
}

This might not match the above ACL policy because I just took the first few instead of listing all of them but here is an example of the ACL hitting my counters.


Policy Name       Vlan Name        Port   Direction      Counter Name                   Packet Count         Byte Count           
==================================================================
Office365-any     *                48     egress    
    104.209.190.8_32               5638                                      
    104.209.35.177_32              0                                         
    104.210.212.243_32             4879                                      
    104.210.4.77_32                2357                                      
    104.210.40.87_32               4496                                      
    104.214.35.244_32              7445                                      
    104.215.146.200_32             3836                                      
    104.215.198.144_32             6097                                      
    104.41.207.73_32               5958                                      
    104.42.231.28_32               0                                         
    104.43.140.223_32              4723                                      
    104.45.11.195_32               4789                                      
    104.45.214.112_32              6963                                      
    104.46.1.211_32                4596                                      
    104.46.38.64_32                15503                                     
    104.46.50.125_32               3617    
 132.245.0.0_16                 106257                
Photo of Kyle Buffington

Kyle Buffington

  • 176 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,050 Points 5k badge 2x thumb
It might be easier to create a ACL that will send the traffic you want to a mirror.

entry <name> { 
if match all { 
    destination-address xx.xx.xx.xx/xx ;
}
then {
    mirror <EXOS_Mirror_name>;
}
}


What do you think?