topic Re: GMAIL Base and SMTP - WTF?? in General Topics

GMAIL Base and SMTP - WTF??

darren_g — Wed, 29 May 2013 00:41:32 GMT

Folks.

The latest content update (pushed today, my time) gave me the following warning in the task when I installed it

VSYS1: Rule 'Outbound_Traffic' application dependency warning: Application 'gmail-base' requires 'smtp' to be allowed, but 'smtp' is denied by rule 'Outbound_Bad'

WTF? Since when does GMail require SMTP? The local installations don't use SMTP - they connect to GMail over HTTP/HTPS, and the GMail back-end servers do the SMTP stuff. Why does Palo Alto now think GMail requires SMTP? I should add that I have checked the release notes for this content release and they mention *nothing* about there being a change to the gmail-base app signature.

I'm not allowing SMTP outbound from everything, because the idiots who run crap like iJunk get my outbound address into blackholes by using misconfigured junk which identifies itself as "localhost.localdomain" in the SMTP EHLO sessions - yet I need GMail for regular use.

Anyone know what the hell is going on here? Impressed I am not.

Cheers

Re: GMAIL Base and SMTP - WTF??

sdurga — Wed, 29 May 2013 02:19:51 GMT

I see the same behavior in my lab device too. I did not see anything mentioned in the release notes stating that any changes are made to application "gmail". This looks like a bug, please open a ticket with support for a resolution.

Re: GMAIL Base and SMTP - WTF??

darren_g — Wed, 29 May 2013 02:25:02 GMT

I already have.

Yet another Palo Alto QA failure right here, boys and girls.

I find your lack of Quality....disturbing.

Re: GMAIL Base and SMTP - WTF??

ggutierrez — Wed, 29 May 2013 18:48:35 GMT

Can I ask for the case number that was opened for this issue?

Re: GMAIL Base and SMTP - WTF??

darren_g — Wed, 29 May 2013 22:07:23 GMT

No, because they haven't given me one yet.

The joys of partner support.

Are you from Palo Alto, or do you just want to reference it for your own case?

Re: GMAIL Base and SMTP - WTF??

SRA — Mon, 03 Jun 2013 20:32:07 GMT

When using clients to access Gmail, the outgoing mail server is smtp.gmail.com and this uses SMTP over SSL or StartTLS. This traffic will be identifed as smtp when using StartTLS or when the SSL session is decrypted.

https://support.google.com/mail/answer/13287?hl=en

Re: GMAIL Base and SMTP - WTF??

ericgearhart — Mon, 03 Jun 2013 20:52:25 GMT

He directly addressed this in his original description of the question... he's not using actual clients, he's using strictly web-based Gmail:

The local installations don't use SMTP - they connect to GMail over HTTP/HTPS, and the GMail back-end servers do the SMTP stuff. Why does Palo Alto now think GMail requires SMTP? I should add that I have checked the release notes for this content release and they mention *nothing* about there being a change to the gmail-base app signature.

Re: GMAIL Base and SMTP - WTF??

SRA — Mon, 03 Jun 2013 20:57:41 GMT

The warning message identifies application dependencies for all potential app usage scenarios. If your particular scenario does not need the dependency, you can ignore the warning.

Re: GMAIL Base and SMTP - WTF??

darren_g — Mon, 03 Jun 2013 22:04:26 GMT

If that's the case, why have I *never* seen this warning before the last content package pushed to my device (375-1810).

I have not changed my rulebase. I have not changed my filtering parameters. I have been manually installing content updates since day dot (I have been bitten with automatic upgrades before, and I refuse to allow them to install automatically), and I have never once seen this warning on content install.

There was no mention of this change in the release notes. There's no comment anywhere that I can find from Palo Alto which says, or has said, that SMTP is a requirement. The previous application definition release has NO mention of SMTP being a dependency in the gmail app, or in any of its sub-apps.

I don't believe that SMTP is required at all for the Gmail web app - indeed, I've never seen a single packet going to Gmail which is identified as "SMTP" by the Palo Alto.

So for Palo Alto to suddenly push an app content release which links SMTP to Gmail without notice is a fail on their part, plain and simple.

Re: GMAIL Base and SMTP - WTF??

SRA — Mon, 03 Jun 2013 22:43:44 GMT

That change was done in content version 375 and I definitely agree with you that it should have been listed in the content release notes. We are investigating why it missed the release notes and will try to prevent it in the future.

Re: GMAIL Base and SMTP - WTF??

darren_g — Tue, 04 Jun 2013 02:57:49 GMT

Well, got my answer back from PA support.

Apparently, this was done to make some crApple device work properly, no doubt it broke as part of the on-going wars between Google and Apple.

From the last reply

===

To clarify further, Bug 52402 has already been filed with the category of resolved.

The reason for this dependency is that when using gmail on iPhone, the traffic goes out through smtp. After some live tests, it was decided to add smtp as the dependency app. Since this change is minor (no signature change but app definition change only), our release note generation script didn't automatically pick this up properly by adding gmail in the modified app release note section.

We will work with QA to make sure this shouldn't happen again in the future!

===

So I re-applied the update (which crashed the management plane, but that's maybe because of the quick upgrade/rollback I did in the first place), got the same warning - but web-based Gmail still works.

So now, I get a bloody warning every time I commit a policy change. Yay.

Re: GMAIL Base and SMTP - WTF??

ericgearhart — Tue, 04 Jun 2013 13:31:56 GMT

It'd be nice if maybe a rule had a "don't warn me about dependencies" checkbox or something... I run into this every day too, because I don't have IPsec turned on for my GlobalProtect rule. I don't ever want to use IPSec... I only want to use SSL based VPN.

Re: GMAIL Base and SMTP - WTF??

darren_g — Wed, 05 Jun 2013 00:02:45 GMT

You're preaching to the converted, my friend.

Re: GMAIL Base and SMTP - WTF??

Licensing-CICP — Mon, 05 Aug 2013 22:03:49 GMT

v5 removes all the app dependency warnings. Any required dependencies are included in the app.

Re: GMAIL Base and SMTP - WTF??

darren_g — Mon, 05 Aug 2013 23:27:34 GMT

Really? So how come I still get the following every time I commit a config change?

VSYS1

vsys1: Rule 'Outbound_Traffic' application dependency warning:

Application 'gmail-base' requires 'smtp' be allowed, but 'smtp' is denied in Rule 'Outbound_Bad'

Re: GMAIL Base and SMTP - WTF??

Retired Member — Tue, 06 Aug 2013 06:21:51 GMT

vsys1: Rule 'new' application dependency warning:

Application 'gmail-base' requires 'smtp' be allowed, but 'smtp' is denied in Rule 'rule3'

(Module: device)

same with us

Re: GMAIL Base and SMTP - WTF??

Licensing-CICP — Tue, 06 Aug 2013 14:08:12 GMT

Gmail-base has a dependency on smtp. If you are on v5, smtp should be automatically included as a dependency with gmail-base by PAN OS if you don't specify it. Any smtp traffic related to gmail would be caught by your rule. The dependency warning appears to be a bug.

It looks like you have a default allow rule and then only block "bad" apps. By default the firewall will block any traffic so you really don't need that rule. Instead you could just add a rule to merely log what was blocked. But since you specified the smtp app, it is triggering the dependency warning.

Re: GMAIL Base and SMTP - WTF??

darren_g — Tue, 06 Aug 2013 21:58:31 GMT

CrashCart wrote:

Yeah, another one. Ho hum.

Not true. My rulebase is setup this way for a reason.

I have three rules for "general" (user) passage through the firewall (specific purpose rules not included - there are a number of them).

1) Approved apps - known_good - allow

2) Unapproved apps - known_bad - deny

3) Everything else - overflow - allow, but report daily to the administrator (me).

I cannot go to a "default-closed" environment because of the nature of our business - you'd be surprised how many apps come through the "overflow" report - apps recognised, but on non-standard ports (web browsing on 8080 is a classic example, SSL on 995 another) which do not match the first rule because that rule is configured "application default" on the service identifier.

This way, I don't stop my users from working (believe me, if I blocked web browsing on 8080, the brown sticky stuff would hit the rotating air distribution blades as nobody would be able to access resources at one of our biggest clients), but I look at the reports daily and add any "new" apps which don't have a business purpose to the known_bad application group and get them blocked, similarly any "new" apps which *do* have a business purpose to the "known_good" group and get them out of the report.

SMTP is specifically denied in the "known_bad" group except from approved nodes (our outbound mail relay) because of pieces of crap like iPhones which just pretend to be SMTP servers and connect to other SMTP servers, identifying themselves as "localhost.localdomain" - which promptly results in my outbound IP address being dumped in black holes, which means I can't send mail out - not a good thing.

Re: GMAIL Base and SMTP - WTF??

Licensing-CICP — Fri, 09 Aug 2013 20:38:32 GMT

We just deployed our first PAN device at an office after installing previous PAN devices at our data centers. it is indeed much more difficult to deploy in an office setting. I was also shocked to see all those apps show up, and on non-standard ports like SSL on 444 and 8200, webmail on 993, and of course web-browsing on 8080. I was hoping to get to a default deny rule after observing traffic for a few weeks. Not sure if and when that will happen.

Re: GMAIL Base and SMTP - WTF??

mikand — Sun, 11 Aug 2013 18:57:49 GMT

Which PANOS are you running?

Because even if 5.x is supposed to somewhat fix the dependency hell (inspired by the Microsoft dll hell? 😉 it seems that not all dependencies are being taken care of by the 5.x release.

Another issue with this "magic" auto dependency in the background is for how many packets should it allow traffic before the auto depedent appid is being blocked?

For example smtp for the case of gmail should only be valid if the domain is .google.com (and whatever other domains google uses nowadays). It would be really bad if the auto depedency suddently, silently, allows any smtp to the rest of the world while you as an admin think you have only allowed gmail as appid... (sure, a workaround might be to add custom urldb that only allows this rule if the http host request matches but still).