how to allow microsoft family safety in hardware firewall?

Anonymous
2025-01-01T01:04:24+00:00

how to allow microsoft family safety in palo alto firewall?

I off vpn in iphone, i find iphone can use facebook behind firewall which decrypt traffic.

no matter off or on vpn in iphone, microsoft family safety always can show the correct interface.

but pixel 8a can not show microsoft family safety which pixel 8a off bitdefender vpn.

I find that I can send whatsapp message in pixel 8a when off bitdefender security web protection.

but after allow dns.bitdefender.net and family.microsoft.com in palo alto firewall, it can not send whatsapp message again and microsoft family safety still can not show correct interface screen in pixel 8a.

Windows for business | Windows Client for IT Pros | Networking | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Anonymous
    2025-01-02T06:03:41+00:00

    Hello,

    Thank you for posting in Microsoft Community forum.

    Based on the description, I understand your question is related to firewall.

    1. Problem Analysis

    1.1 DNS Resolution and Firewall Rules

    Issue: The Palo Alto firewall may be blocking DNS queries related to Microsoft Family Safety and Bitdefender. Even though the user has allowed dns.bitdefender.net and family.microsoft.com domains, other related domains might not be permitted.

    Impact: If DNS resolution fails, the relevant services cannot connect, causing issues with the functionality of the apps.

    1.2 SSL Decryption Configuration Issues

    Issue: The Palo Alto firewall may not be properly decrypting traffic for WhatsApp and Microsoft Family Safety. While Facebook traffic is decrypted, some applications may use different encryption protocols that the firewall is not recognizing and decrypting.

    Impact: Undecrypted traffic might be considered potential threats or unknown traffic by the firewall and thus blocked or mishandled.

    1.3 Application Layer Traffic Identification and Blocking

    Issue: The firewall's application identification (App-ID) might not be correctly recognizing and classifying the traffic for Microsoft Family Safety and WhatsApp. Some traffic might be mistakenly flagged as malicious or unauthorized, resulting in it being blocked.

    Impact: Misidentifying traffic at the application layer may result in the blocking of legitimate app traffic.

    1.4 URL Filtering and Proxy Interference

    Issue: The Palo Alto firewall's URL filtering or Bitdefender Web Protection may be interfering with the normal communication of Microsoft Family Safety and WhatsApp. The URL filtering might mistakenly block essential resources that these apps need to access.

    Impact: Strict URL filtering could prevent the apps from loading necessary resources or completing required network requests, impairing their functionality.

    1.5 Device Caching and Network Configuration Differences

    Issue: The network behavior on the Pixel 8a and iPhone may differ due to device-specific network configurations, cached data, or residual security app settings. The Pixel 8a’s traffic might not be parsed or processed correctly.

    Impact: Device-level cache, DNS settings, or VPN configurations may interfere with the apps' network connections, resulting in issues on some devices.

    2. Solutions

    Based on the analysis, the following step-by-step solutions are recommended:

    2.1 Check DNS Resolution and Firewall Rules

    1. In the Palo Alto firewall, go to Objects > External Dynamic Lists and ensure all necessary domains related to Bitdefender and Microsoft Family Safety are allowed.
    2. Verify the firewall's Network > DNS settings to ensure that DNS resolution for the relevant domains is not blocked.
    3. Use tools like nslookup on the Pixel 8a to check if DNS resolution for dns.bitdefender.net and family.microsoft.com is working properly.

    2.2 Configure and Check SSL Decryption

    1. Go to the Palo Alto firewall's Policies > Decryption section and check the decryption rules. Ensure that "SSL Forward Proxy" or "SSL Inbound Inspection" is configured to decrypt the traffic for Microsoft Family Safety and WhatsApp.
    2. Review the decryption logs in Monitor > Logs > Traffic to ensure that traffic is being decrypted successfully. If any decryption failures are logged, adjust the decryption strategy accordingly.
    3. Use packet capture tools like Wireshark to verify that decrypted traffic for Microsoft Family Safety and WhatsApp is not being mistakenly blocked.

    2.3 Adjust Application Identification and Security Policies

    1. In the Palo Alto firewall's Policies > Security section, check and ensure that the App-ID rules are configured correctly to recognize and allow traffic for Microsoft Family Safety and WhatsApp.
    2. In Monitor > Logs > Threat, review the application identification logs to ensure that the traffic for these apps is not being mistakenly flagged as malicious or suspicious.

    2.4 Adjust URL Filtering and Proxy Settings

    1. Check the URL filtering rules in Objects > Security Profiles > URL Filtering to ensure that no rules are blocking the URLs required for Microsoft Family Safety or WhatsApp.
    2. If the URL filtering is too strict, temporarily disable or adjust the rules to see if this resolves the issue.
    3. Verify that no proxy or application filter settings in Policies > Security or Objects > Application Filter are interfering with these apps' traffic.

    2.5 Clear Device Cache and Restart Network Connections

    1. On the Pixel 8a, go to Settings > Network & Internet > Advanced > Reset Wi-Fi, Mobile & Bluetooth to clear the DNS cache.
    2. Restart the Pixel 8a to ensure that all cached settings and configurations are reset.
    3. Test the Pixel 8a on different networks (e.g., home Wi-Fi, public Wi-Fi) to isolate whether the issue is specific to the current network configuration or the firewall.

    2.6 Test and Verify

    1. After making the changes, test whether WhatsApp can send messages successfully.
    2. Verify if Microsoft Family Safety displays the correct interface on the Pixel 8a.
    3. Check the firewall logs in Monitor > Logs > Traffic to ensure that no necessary traffic for these apps is being blocked.

    3. Summary

    By adjusting the DNS rules, SSL decryption configuration, application identification, URL filtering, and device-level settings, the user should be able to resolve the issues with Microsoft Family Safety and WhatsApp on the Pixel 8a. The provided steps cover a range of potential causes, including DNS issues, traffic decryption, application identification, and interference from security software, allowing for a systematic approach to troubleshooting and fixing the problem.

    Have a nice day. 

    Best Regards,

    Molly

    0 comments No comments
  2. Anonymous
    2025-01-02T10:51:05+00:00

    nslookup can show result in pixel 8a

    iphone screen time allow specified web site only, it can also show correct screen of family safety.

    though edge browser show web-browsing blocked family.microsoft.com, why not pixel 8a not like iphone can show correct screen?

    palo alto did not decrypt microsoft domain which address group included all domain from

    https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide and also Microsoft certificates domains

    My laptop can browse family.microsoft.com behind palo alto firewall when laptop without VPN.

    0 comments No comments
  3. Anonymous
    2025-01-08T06:28:38+00:00

    Given the issues you're facing with Microsoft Family Safety displaying differently on various devices and under different network settings, here are more streamlined steps to potentially resolve the discrepancies:

    1        Adjust Firewall SSL Decryption Settings:

    1.1       Check and modify the SSL decryption settings on your Palo Alto firewall to ensure that it includes decryption for all relevant Microsoft domains, not just family.microsoft.com.

    2        Examine Application-Specific Firewall Rules:

    2.1       Verify that there are no specific rules or exceptions in the firewall that might be affecting the traffic associated with Microsoft Family Safety differently across devices.

    3        Conduct Controlled Tests:

    3.1       Perform tests by toggling specific firewall settings, especially around SSL decryption and application-based rules, to see how changes affect the visibility and functionality of Microsoft Family Safety on different devices.

    4        Consult Palo Alto Support:

    4.1       If local adjustments do not resolve the issue, it might be useful to contact Palo Alto support for deeper insight or potential updates that better handle encrypted traffic from Microsoft services.

    By taking these steps, you should be able to better understand and potentially resolve the variable behaviors of Microsoft Family Safety across your devices.

    0 comments No comments