|
Firewall security policy uses FQDN outlook.com as a destination address. For public cloud services, it is better to use Internet service instead of FQDN.
When the security policy has enabled the 'all session' log, get the deny log destination address, and search the ISDB group by the IP address.
Take IP 20.105.73.143 as an example:
diagnose internet-service match root 20.105.73.143 255.255.255.255
Internet Service: 327786(Microsoft-Azure), matched entry num: 2, matched num: 2
Internet Service: 327681(Microsoft-Web), matched entry num: 4, matched num: 4
Internet Service: 327682(Microsoft-ICMP), matched entry num: 2, matched num: 2
Internet Service: 327683(Microsoft-DNS), matched entry num: 2, matched num: 2
Internet Service: 327684(Microsoft-Outbound_Email), matched entry num: 4, matched num: 4
Internet Service: 327686(Microsoft-SSH), matched entry num: 1, matched num: 1
Internet Service: 327687(Microsoft-FTP), matched entry num: 2, matched num: 2
Internet Service: 327688(Microsoft-NTP), matched entry num: 2, matched num: 2
Internet Service: 327689(Microsoft-Inbound_Email), matched entry num: 4, matched num: 4
Internet Service: 327694(Microsoft-LDAP), matched entry num: 4, matched num: 4
Internet Service: 327695(Microsoft-NetBIOS.Session.Service), matched entry num: 2, matched num: 2
Internet Service: 327696(Microsoft-RTMP), matched entry num: 2, matched num: 2
Internet Service: 327704(Microsoft-NetBIOS.Name.Service), matched entry num: 1, matched num: 1
Internet Service: 327680(Microsoft-Other), matched entry num: 2, matched num: 2
Change from FQDN to the above ISDB in firewall security policy, prefer to ISDB relative to email, for example, Microsoft-Azure, Microsoft-Outbound_Email, Microsoft-Inbound_Email. The traffic will be allowed.
Related article:
Technical Tip: How to search ISDB using IP address
|
