topic Re: Problem configuring rules for our mail server using anti spam cloud service in General Topics

Problem configuring rules for our mail server using anti spam cloud service

MichelD — Fri, 09 Mar 2018 03:14:18 GMT

I think I<m not on the right track and search documentation to help. i tried to replicate the logic from my olf checkpoint fw. I guess it is not a good idea.

Please HELP!

My configuration is the following (no real IP addresses)

Mail Private Server in a trusted zone (Servers-Zone) PRV-MAIL-SERVER 10.10.5..3 on Interface1/3

The Public Address PUB-MAIL-SERVER 70.34.125.2 (1 of 5 addresses on Interface1/1)

The anti-spam cloud service ANTISPAM-ADDR_GROUP (3 IP addresses range on port 25)

The WebMail Public Addrees WEBMAIL 70.34.125.2 (same as the mail server but port 443) on Interface1/2

I have the following NAT rule for outgoing mails

src-zone : Servers-Zone

dst-zone : Internet-Zone

dst-interface : Internet1/1

src-addr : PRV-MAIL-SERVER

dest-addr : any

Service : smtp

Src-translation: static-ip: PUB-MAIL-SERVER, bidirectional : yes

and the following NAT rule for then incoming mails

src-zone : Internet-Zone

dst-zone : Servers-Zone

dst-interface : Internet1/3

src-addr : PUB-MAIL-SERVER

dest-addr : any

Service : smtp

Src-translation: static-ip: PRV-MAIL-SERVER, bidirectional : yes

The Security Rules are (Outgoing email):

src Zone : Servers-Zone

src Address : PRV-MAIL-SERVER

dst Zone : Internet-Zone

dst-Addr : ANTISPAM-ADDR_GROUP

application : smtp and Service : application-default

Action : Allow

The Security Rules are (Incoming email):

src Zone : Internet-Zone

src Address : ANTISPAM-ADDR_GROUP

dst Zone : Source-Zone

dst-Addr : PRV-MAIL-SERVER

application : smtp and Service : application-default

Action : Allow

I can send email from the mail server to gmail and the action is successful and logged

The reply is not working and nothing in the logs.

Thanks,

Michel

Re: Problem configuring rules for our mail server using anti spam cloud service

reaper — Fri, 09 Mar 2018 09:09:29 GMT

Hi @MichelD

I would deactivate the 'bidirectional' option on your first NAT rule since you're building NAT policy in both directions (you can either do bidirectional, or do 2 policies, 1 for each direction... I recommend doing the 2 policy method as this is more readable and less prone to mistakes)

your second policy needs to be internet-zone to internet-zone, this is because the original packet's zones are determined by a route lookup: the source is located on the internet (0.0.0.0/0) and the original destination is also on the internet (external interface ip)

your destination also needs to be the IP PUB-MAIL-SERVER, not any, the source should probably be the ANTISPAM-ADDR-GROUP (so you only allow inbound NAT from those addresses)

your outbound security policy is fine, but for the inbound security policy the destination IP also needs to be PUB-MAIL-SERVER, instead of the private one

Here's a little article + video about NAT which may be helpful : https://live.paloaltonetworks.com/t5/Tutorials/Getting-Started-Network-Address-Translation-NAT/ta-p/116340

Re: Problem configuring rules for our mail server using anti spam cloud service

MichelD — Sat, 10 Mar 2018 21:17:05 GMT

I changed the configuration as your recommendations. I also read the article. Since I changed the values. the behaviour is a little bit different, but cannot receive emails. The Send is working.

In the Log/Traffic does not show any information about what's going wrong.

I checked all the adresses with the values in our firewall we are replacing. I also tried different scenarios based on what you explain.

Regards,

Michel

Re: Problem configuring rules for our mail server using anti spam cloud service

BPry — Sun, 11 Mar 2018 01:45:55 GMT

@MichelD,

I would recommend that when you are trying to get this to work, you override the interzone-default policy to enable 'logging-start' so that you can see any traffic that is getting dropped due to your security policy configuration. This will allow you to then build out the security policies as needed.

Both of the security policies that you have displayed are showing hits, and your NAT policies are indicating that they are getting used as well. With the interzone-default logging enabled, you should be able to view the traffic logs and see where exactly things are breaking down.

Re: Problem configuring rules for our mail server using anti spam cloud service

Brandon_Wertz — Sun, 11 Mar 2018 15:08:55 GMT

@BPrywrote:
Both of the security policies that you have displayed are showing hits,

This brings up a good point...Embedded rule usage is a feature set of PAN-OS 8.1.X. I'm not trying to jump and say merely the code base is the issue, but for the sake of stability to a production environment running an established / stable code release would also be a good idea?

Re: Problem configuring rules for our mail server using anti spam cloud service

BPry — Sun, 11 Mar 2018 15:13:28 GMT

@MichelD,

@Brandon_Wertz brings up a rather good point, and one that I kind of didn't think about. While 8.1.0 is released I would hesitate to use it in a production enviroment where you are actually publishing services. So far, I've only deployed 8.1.0 on LAB equipment, and the PA-220s that I utilize for our IT department to make a tunnel back to our main office from their houses.

I'm not going to go as far as to say that 8.1.0 is your issue here, because I don't actually believe it is, but I wouldn't be running 8.1.0 in this capacity just yet.

I just want to stress here though, I don't think 8.1.0 is your actual issue. I think if you do as I stated you'll see something that you aren't allowing in your security policies that is getting denied by the interzone-default policy.

Re: Problem configuring rules for our mail server using anti spam cloud service

MichelD — Sun, 11 Mar 2018 21:54:29 GMT

Thank you everybody for your input.

My problem is now solve. In my case, 8.1 was not the culprit.

Here are my final configuration and working great going through the anti-spam cloud service in both directions.

Line with the (MODIFIED) are the corrections to my original configuration.

To find out what was wrong, I had created an any-to-any temporary (5 minutes max) rule with the risk (i know). So I got the information in the trafic log. Logging is not enabled in the default 2 security rules.

As a documentation, my physical configuration is like that:

My MX records points to the ANTISPAM-CLOUD service.

INBOUND EMAILS ---> ANTISPAM-CLOUD ---> FW ---> MAIL-SERVER (Trueted Zone(

MAIL-SERVER (Trusted Zone) ---> FW ---> ANTISPAM-CLOUD ---> OUTBOUD EMAILS

I have the following NAT rule for outgoing mails.

src-zone : Servers-Zone
dst-zone : Internet-Zone
dst-interface : Internet1/1
src-addr : PRV-MAIL-SERVER
dest-addr : outbound-mail-to antispam solution (MODIFIED)
Service : any (MODIFIED)
Src-translation: static-ip: PUB-MAIL-SERVER, bidirectional : no (Bidirectional=NO)

and the following NAT rule for then incoming mails
src-zone : Internet-Zone
dst-zone : Internet-Zone (MODIFIED)
dst-interface : Internet1/1 (MODIFIED)
src-addr : ANTISPAM-ADDR-GROUP (MODIFIED)
dest-addr : PUB-Mail-Server (MODIFIED)
Service : any (MODIFIED)
Src-translation: static-ip: PRV-MAIL-SERVER, bidirectional : no (Bidirectoional=NO)

The Security Rules are (Outgoing email):
src Zone : Servers-Zone
src Address : PRV-MAIL-SERVER
dst Zone : Internet-Zone
dst-Addr : outbound-mail-to antispam solution (MODIFIED to go through the ANTISPAM)
application : smtp and Service : application-default
Action : Allow

The Security Rules are (Incoming email):
src Zone : Internet-Zone
src Address : ANTISPAM-ADDR_GROUP
dst Zone : Server-Zone
dst-Addr : PUB-MAIL-SERVER (MODIFIED)
application : smtp and Service : application-default
Action : Allow

Thank you again,

Michel