https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1345#M1036 <HTML><HEAD></HEAD><BODY><P>The policy is correct. You allow all applications that are identified as SSL on the 3 ports 465,993,995 in your scenario.</P><P></P><P>There is no way to modify the app id because the traffic is encrypted. The system can not see what app is trying e.g. to use port 465. So there is only one app called SSL. The only way for the system to identify the app is to use ssl decryption policy. Then you would see which app is using this port.</P><P></P><P>HTH</P></BODY></HTML> Fri, 08 Nov 2013 10:00:27 GMT kbe 2013-11-08T10:00:27Z https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1340#M1031 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I moved my email serwer from untrust to DMZ. Everything almost is working fine, almost ...</P><P>This server has ftp and webmail function too, so my security rules looks:</P><P><IMG alt="2013-11-07_083113.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9667_2013-11-07_083113.png" style="width: 620px; height: 102px;" /></P><P>I checked on aplipedia for aplication smtp and pop3. Accroding to aplipedia smtp uses tcp/25,587&nbsp; and pop3 tcp/110.</P><P>Thats true for on secure connections. But how _properly_ pass SSL traffic?</P><P>On my server I use ports 465 (smtp) 993 (imap) 995 (pop3) for secures connections.</P><P>I'd like to use aplications insted of services like I use now.</P><P>I do this as a temporary solution.</P><P></P><P>Please give my advice how to properly cinfigured security rules in such situations.</P><P></P><P></P><P>With Regards</P><P>Slawek</P></BODY></HTML> Thu, 07 Nov 2013 07:37:11 GMT https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1340#M1031 _slv_ 2013-11-07T07:37:11Z https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1341#M1032 <HTML><HEAD></HEAD><BODY><P>Hello <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Slawek</SPAN>,</P><P></P><P>Since according to applipedia, SMTP and POP3 are not incorporating SSL ports like 995 and 465, you can write a separate rule to include smtp and pop3 and have service as 'any'&nbsp; instead of application-default. In that way, you can make sure that your other applications ftp, dns and web-browsing are still riding on their default ports while allowing SMTP and POP3 on all ports.</P><P></P><P>Hope that helps.</P><P></P><P></P><P>Thanks and regards,<BR />Kunal Adak</P></BODY></HTML> Thu, 07 Nov 2013 15:23:45 GMT https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1341#M1032 kadak 2013-11-07T15:23:45Z https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1342#M1033 <HTML><HEAD></HEAD><BODY><P>Hi Kadak</P><P></P><P>Thank You for sugestion, I changed my policy.</P><P>But I have dubt that this is a right way to make workaround in _such_ simple problem.</P><P>I wonder that maybe will be better to change aplication definition and add there my ports. Port that I use are standart and many administrator use the same.</P><P>I sow many time on this forum and tech doc's that it's important to use aplication default in service field of policy - because using "any" could be "dangerous".</P><P></P><P></P><P>With Regards</P><P>SLawek</P></BODY></HTML> Thu, 07 Nov 2013 16:34:10 GMT https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1342#M1033 _slv_ 2013-11-07T16:34:10Z https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1343#M1034 <P>Hell Slawek,</P> <P>&nbsp;</P> <P>Some more investigation lead me to the following document which answers your scenario:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHqCAK" target="_self">App-IDs for SSL-Secured Versions of Well-Known Services</A></P> <P>&nbsp;</P> <P>Hope the above document helps you.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks and regards,</P> <P>Kunal Adak</P> Thu, 06 Apr 2023 15:03:10 GMT https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1343#M1034 kadak 2023-04-06T15:03:10Z https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1344#M1035 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Second point looks interesting:</P><P>"Create service objects for the SSL-variant ports, and allow 'ssl' App-ID in security policy on those services: SMTPS:TCP/465; IMAPS:TCP/993; POP3S:995; IMAPS:TCP/585."</P><P></P><P>Is my policy correct?</P><P><IMG alt="2013-11-07_195431.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9677_2013-11-07_195431.png" style="width: 620px; height: 32px;" /></P><P>ie. "Port 465" has tcp/465 enabled.</P><P></P><P>Regards</P><P>SLawek</P></BODY></HTML> Thu, 07 Nov 2013 18:56:40 GMT https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1344#M1035 _slv_ 2013-11-07T18:56:40Z https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1345#M1036 <HTML><HEAD></HEAD><BODY><P>The policy is correct. You allow all applications that are identified as SSL on the 3 ports 465,993,995 in your scenario.</P><P></P><P>There is no way to modify the app id because the traffic is encrypted. The system can not see what app is trying e.g. to use port 465. So there is only one app called SSL. The only way for the system to identify the app is to use ssl decryption policy. Then you would see which app is using this port.</P><P></P><P>HTH</P></BODY></HTML> Fri, 08 Nov 2013 10:00:27 GMT https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1345#M1036 kbe 2013-11-08T10:00:27Z https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1346#M1037 <HTML><HEAD></HEAD><BODY><P>I understand your explanation.</P><P>In my opinion it is mistake to put only one 586port and 25 as a ports for smtp. Most of Us using also different ports too.</P><P>Using workaround that provice Kadak we have to make another policy that PA have to process, so we have two policy in every situation where is SSL traffic and regular trafic but on different ports (like in my scenario).</P><P>If this is Palo Alto vision - I can't do anything with it <SPAN __jive_emoticon_name="sad"></SPAN></P><P></P><P>I can't use decryption.</P><P></P><P></P><P>Regards</P><P>Slawek</P></BODY></HTML> Fri, 08 Nov 2013 13:30:03 GMT https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1346#M1037 _slv_ 2013-11-08T13:30:03Z https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1347#M1038 <HTML><HEAD></HEAD><BODY><P>Which other way do you see to implement inspection of encrypted data flow?</P><P>Have you looked at the data flow chart explaining how the PA dataplane handels traffic? Maybe that helps to understand.</P><P>I don´t think there is another vendor that can identify an application that sends encrypted traffic without breaking the encryption. How should this work?</P><P>And the ports 25 and 586 are the default ports for smtp (see RFC5321). No matter which other ports you are using.</P><P>And there is no problem by creating more than one rule to handle traffic that can not be handled by only one rule. I also created some own services to handle traffic that is not caught by the app-default setting. </P><P></P><P>I don´t see the main problem you seem to have with the PA way.</P><P></P><P>cu</P></BODY></HTML> Fri, 08 Nov 2013 14:02:20 GMT https://live.paloaltonetworks.com/t5/general-topics/smtp-pop3-over-ssl-how-to-configure-security-rules/m-p/1347#M1038 kbe 2013-11-08T14:02:20Z