Hi,I've been reading and tweaking the firewall policy rule to no avail.Made IP lists from official Microsoft web page.Allowed website and application from their official website.Tried with and without SSL InspectionThe policy is put above almost everything else and nothing affect the IP subnet rangeAutopilot won't work (often when choosing Office/365)Nothing is being blocked in FortiAnalyzer except for a few .cabWe're thinking it might be linked to the .cab issue:The DLP is still blocking some .cabauthrootstl.cabdisallowedcertstl.cabpinrulesstl.cabEven if the DLP HTTP-Get is activated or notEven if the file filter for .cab is activated or not. Threat :Action: blocked Threat Direction: incoming Threat Name:data leak by Filter: none Threat Pattern: disallowedcertstl.cab Threat Severity: low Threat Type:Data LeakAny help appreciated.Thank you for your time.

ITCSS

Explorer II

Question

Microsoft Autopilot won't work - Intune - DLP and .cab

Forum|Forum|1 year ago
November 27, 2024
3 replies
1934 views

Hi,

I've been reading and tweaking the firewall policy rule to no avail.

Made IP lists from official Microsoft web page.
Allowed website and application from their official website.
Tried with and without SSL Inspection
The policy is put above almost everything else and nothing affect the IP subnet range

Autopilot won't work (often when choosing Office/365)

Nothing is being blocked in FortiAnalyzer except for a few .cab
We're thinking it might be linked to the .cab issue:
- The DLP is still blocking some .cab
  - authrootstl.cab
  - disallowedcertstl.cab
  - pinrulesstl.cab
    - Even if the DLP HTTP-Get is activated or not
    - Even if the file filter for .cab is activated or not.
          Threat :Action: blocked
          Threat Direction: incoming
          Threat Name:data leak by Filter: none
          Threat Pattern: disallowedcertstl.cab
          Threat Severity: low
          Threat Type:Data Leak
      
      Any help appreciated.
      
      Thank you for your time.

sjoshi

Staff

Hi @ITCSS,

Are you using FGT DLP feature to block certain files types.

Please refer

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/153498/data-loss-prevention

Thanks, Salon

ITCSSAuthor

Explorer II

Hi @sjoshi ,

To monitor and allow .cab

ITCSSAuthor

Explorer II

Some .cabs seems to pass now. I'm not seeing anything blocking in the FortiAnalyzer. It didn't seem to work yesterday evening but I'm waiting for a new test.

I'm going to keep you updated

ITCSSAuthor

Explorer II

New .cabs being blocked -

Threat Action: blocked
Threat Direction: incoming
Threat Name: data leak by Filter: none
Threat Pattern: Microsoft.VCLibs.120.00.UWPDesktop_12.0.40653.0_x64__8wekyb3d8bbwe.Appx
Threat Severity:low
Threat Type:Data Leak

Why is there a filter:none ?

Also there's no .appx to choose from in the File Filter.

Edit: Still have that message even with "unset dlp-sensor" in CLI

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded