How to create an allow listing for a range of microsoft ips

arivadeneira · ‎05-28-2021

We currently have a need to allow access to a subset of micsosoft ips which are currently housed in brazil. We have a country block and a country allow group but do not want to provide full access to all sites in that country. What is the best way to allow the traffic in Netskope based on the ips that microsoft has provided for Brazil which seem to be in the 52.109.88.0/24 range?

sooraj · ‎05-31-2021

@arivadeneira There is no option to block users based on destination IPs.

The only available options are to create policies based on Source IP, Source Country, and Destination Country.
You could submit this as a new feature request from the 'Feedback' section on your tenant UI.

juergen · ‎06-01-2021

@arivadeneira you are talking about Microsoft and this is wide open topic. Do you mean O365 Access. If yes you can try policy where you allow the office apps and combine it with destination country (Brazil). However there is always a risk that some traffic has to leave the country and maybe some IP range from MS may not be listed correctly in the geo location DB we use. So it is a bit of a risky approach and has to be tested first.

rfletcher · ‎06-03-2021

It's a bit manual but couldn't you create a network location and create your policy based on an IP range? I think @juergen said it best that it's a risky approach depending on what Microsoft Service you are trying to use/protect with Netskope.

-Ryan

sooraj · ‎06-03-2021

@rfletcher currently, there is no option to create a policy based on Destination IPs.
What @juergen suggested would be the best approach in the given scenario, with the clauses he has mentioned.