topic Re: Some emails not working on iPhone behind PA in General Topics

Some emails not working on iPhone behind PA

Hwinter — Sun, 02 Apr 2017 12:02:52 GMT

I have a weird problem. I installed a VM100 connected via PPPoE to the ISP, standard NAT, DHCP configured on the LAN side.

Issue: unable to receive/send emails from iPhone from SOME providers using inherid IOS app:

Corporate email: working via IOS email app
iCloud email: not working via IOS email app
Gmail email: not working via IOS email app, but works from "Inbox" app (on the same iPhone!!)

PS: Web browsing is fine and even my SIP Trunk is working.

Any ideas? I have set MTU to 1480 on the WAN interface. which was my first thought...

Thanks!

Re: Some emails not working on iPhone behind PA

Hwinter — Sun, 02 Apr 2017 13:51:22 GMT

Turns out iCloud and gmail are using non-standard ports. I had to change the policy (Policies -> Security) from:

- Application: application_default

.to.

- Application: any

I suppose I could have tweeked the application_default to allow the gmail and icloud custom ports too. That will be my next step. However, it is working with any. It looks like there was a change on 7.1:

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-Policy-behavior-change-application-default/ta-p/75664

Re: Some emails not working on iPhone behind PA

LRCAIT — Fri, 09 Dec 2022 19:07:57 GMT

If you're still around, @Hwinter , I wanted to let you know that this old note saved a stranger a bunch of time in the year 2022. Thanks!

It'd be great if someone could explain to me how or why traffic that was blocked for being on a non-standard port didn't make into the Traffic log as thusly denied. Is there something I can configure to see traffic that is blocked because an app is using a non-standard port?

Re: Some emails not working on iPhone behind PA

Adrian_Jensen — Fri, 09 Dec 2022 22:19:31 GMT

@LRCAIT The default "intrazone-default" and "interzone-default" Security policies do not log by default, the interzone policy denies traffic. So if you have allow rules for an Application(s) with "application-default" Service and you do not have your own deny-everything-else Security policy, then the traffic falls thru to the "interzone-default" rule and is blocked without logging. Additionally, if you do have a deny-everything rule, but the Service in the rule is set to "application-default" (with an "any" Application) then you deny rule also won't match as the traffic may have been identified as an application that is on a non-standard port.

You can update these 2 built-in PaloAlto rules to log by selecting from the policy list and clicking "Override" at the bottom. Then edit to log traffic to your Log Forwarding profile.

https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-5-enable-logging-for-traffic-that-doesnt-match-any-rules

Re: Some emails not working on iPhone behind PA

LRCAIT — Fri, 09 Dec 2022 22:47:04 GMT

Thanks, @Adrian_Jensen. Makes perfect sense. This also explains why I kept seeing the default interzone rule hit counts increment, even though I had a deny-all interzone rule ahead of it that for logging purposes.