ACL for Office365


I am creating a ACL that basically blocks about 240+ M$ Office365 related IP addresses so that Websense will not block the traffic. Web traffic is coming off of a VSS tap into my Summit X460 on port 47 and then I have that mirrored to port 48 going to the Websense server. I do not want Websense to see 240+ IP addresses so I created an ACL to deny. It seems VERY hit and miss whether this works or not. It seemed pretty straight forward to me. Here is an example of the list and my ACL setup. I had to put it on the egress port because the Mirror port kept doing it's thing before anything else if I tried putting it on the incoming port 47. It works pretty well but occasionally I can see Websense getting a packet to one of the below IPs and see the RST packet which in turn blocks the user from getting to https://outlook.com or https://outlook.office365.com and various other M$ sites that have been defined to be denied. You so not see it in this snippit of the ACL but 132.245.0.0/16 is setup for outlook.office365.com

Tap > Port 47 > Port 48 (Mirror) > Websense server

configure ports 47 display-string From_Tap
configure ports 48 display-string To_Websense
configure mirror DefaultMirror to port 48
enable mirror DefaultMirror
configure mirror DefaultMirror add port 47 ingress-and-egress

configure access-list Office365-any ports 48 egress

entry 65.55.150.61_32 {
if match all {
destination-address 65.55.150.61/32 ;
}
then {
deny ;
count 65.55.150.61_32 ;
}
}
entry 65.55.150.160_32 {
if match all {
destination-address 65.55.150.160/32 ;
}
then {
deny ;
count 65.55.150.160_32 ;
}
}
entry 134.170.52.122_32 {
if match all {
destination-address 134.170.52.122/32 ;
}
then {
deny ;
count 134.170.52.122_32 ;
}
}
entry 134.170.52.123_32 {
if match all {
destination-address 134.170.52.123/32 ;
}
then {
deny ;
count 134.170.52.123_32 ;
}
}
entry 134.170.52.124_32 {
if match all {
destination-address 134.170.52.124/32 ;
}
then {
deny ;
count 134.170.52.124_32 ;
}
}
entry 157.56.138.141_32 {
if match all {
destination-address 157.56.138.141/32 ;
}
then {
deny ;
count 157.56.138.141_32 ;
}
}

This might not match the above ACL policy because I just took the first few instead of listing all of them but here is an example of the ACL hitting my counters.

Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count
==================================================================
Office365-any * 48 egress
104.209.190.8_32 5638
104.209.35.177_32 0
104.210.212.243_32 4879
104.210.4.77_32 2357
104.210.40.87_32 4496
104.214.35.244_32 7445
104.215.146.200_32 3836
104.215.198.144_32 6097
104.41.207.73_32 5958
104.42.231.28_32 0
104.43.140.223_32 4723
104.45.11.195_32 4789
104.45.214.112_32 6963
104.46.1.211_32 4596
104.46.38.64_32 15503
104.46.50.125_32 3617
132.245.0.0_16 106257

1 reply

Userlevel 6
It might be easier to create a ACL that will send the traffic you want to a mirror.

entry {
if match all {
destination-address xx.xx.xx.xx/xx ;
}
then {
mirror ;
}
}

What do you think?

Reply