topic Re: Exchange Question in General Topics

Exchange Question

gabrielhill — Fri, 20 Feb 2015 18:05:27 GMT

I feel this may be a dumb question, but I was hoping somebody could give me clarification.

We had some issues with users receiving malware or a virus through a separate email account (ex testcompany.com), them opening it, and then it would send the email to users in their contact list, which included sending emails internally through the local exchange server.

My original thought was that we could move the exchange server directly behind the palo alto, into a "services" zone, and apply anti-virus / wildfire policies to it, to prevent malicious files from flowing internally and spamming tons of internal users.

After testing this, it does not seem that this works the way I expected. It seems that the Palo Alto doesn't recognize traffic between the end user (outlook) and the exchange server in the way I was hoping. It does not seem to inspect attachments with local email. Is there anyway to accomplish this type of security with a Palo Alto device?

(ZONE INT) <------ > (ZONE SERVICES)

Re: Exchange Question

HULK — Fri, 20 Feb 2015 18:19:26 GMT

Hello gabrielhill,

Could you please let us know, if the Exchange server is connected with an SSL connection, then you might need to implement SSL-Decryption, in order to inspect the content of the email.

Thanks

Re: Exchange Question

gabrielhill — Fri, 20 Feb 2015 19:02:34 GMT

Thanks HULK . I am using an SSL connection. I have the certificate uploaded, and I have a SSL decryption policy as a test (just my PC and the Exchange server). I have it set to ssl-inbound-inspection. I try to send

When I try to send an .dll file to my email address, the Palo alto is not showing it in the data filtering potion, nor is it blocking this (I have a rule that should prevent these types of files from flowing through).

I have also tried taking the encryption setting off between my client and the exchange server, but it still does not block any attachments.

Re: Exchange Question

HULK — Fri, 20 Feb 2015 20:39:49 GMT

Could you please double check the session details ( from your machine and exchange server) from the CLI of the PAN firewall:

admin> show session all filter ssl-decrypt yes count yes

admin> show session all filter source x.x.x.x destination y.y.y.y >>>>>>>>>>>>> there should be a "*" symbol which will confirm that the session is getting decrypted

366417 msrpc ACTIVE FLOW * >>>>>>>>>>>>>>

Thanks

Re: Exchange Question

gabrielhill — Sat, 21 Feb 2015 05:02:08 GMT

HULK, show session all filter ssl-decrypt yes count yes - shows that I do have session that match this.

show session all filter source x.x.x.x destination y.y.y.y - I do not see an "*" by the msrpc or ms-exchange connection.

I have the certificate from the exchange server imported, and everything shows valid.

Is there anything I can do that could pinpoint me to the cause?

Thank you,