https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/255065#M72389 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;,</P><P>&nbsp;</P><P>I have couple of confusions here, could you please help.</P><P>Which database firewall will check for these URLs in email ?. is it PAN-DB ?. if yes, hope i need PAN-DB licence to have link analysis work properly.</P><P>&nbsp;</P><P>So as you mentioned, when one url previously identified as malicious is available in another mail to differenr reciever, the mail will be blocked?.</P><P>&nbsp;</P> Tue, 26 Mar 2019 13:57:52 GMT Abdul_Razaq 2019-03-26T13:57:52Z https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/246050#M70093 <P>Hi community,</P><P>&nbsp;</P><P>can anyone clear my following doubts.</P><UL><LI>I have a mail server behind my PA, i am not doing ssl for mailserver communications.</LI><LI>i have antivirus &amp; wildfire profiles applied for inbound and outbound connections to this mail server.</LI><LI>what if i get a mail to my server having malicious url inside mail( PA allready knows it as malicious, hope othervise he send to wildfire for analysis and update PAN-DB) , will PA block email?</LI><LI>what if i have URL as attachment ( encoded as pdf and attached to email) ?,</LI><LI>will antivirus profile will check URL aswell as he checks other file type?.</LI><LI>is there any difference if it was a phishing link or a download link ?</LI><LI>i understand if user clicks the url, he will be blocked as i have url filtering from inside to outside, (my concern is if he is outside network, not using GP nd access the site, his machine/credentials will be compromised.)</LI><LI>Is there a way for making PA to check email-link reputation with DB before the email send to user, if DB doesnt categorised the URL, email should go to user as wildfire will take time.</LI></UL><P>&nbsp;</P> Tue, 15 Jan 2019 09:22:49 GMT https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/246050#M70093 Abdul_Razaq 2019-01-15T09:22:49Z https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/246355#M70162 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a>&nbsp;wrote:<BR /><UL><LI>What if i get a mail to my server having malicious url inside mail( PA allready knows it as malicious, hope othervise he send to wildfire for analysis and update PAN-DB) , will PA block email?</LI></UL><HR /></BLOCKQUOTE><P>Yes, PA will block the email and if the URL is not known it will be sent to WF</P><P>&nbsp;</P><BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a>&nbsp;wrote:<BR /><UL><LI>what if i have URL as attachment ( encoded as pdf and attached to email) ?,</LI><LI>will antivirus profile will check URL aswell as he checks other file type?.</LI></UL><HR /></BLOCKQUOTE><P>PA will not check these URLs. It will only block the email if the attachment itself contains a virus</P><P>&nbsp;</P><BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a>&nbsp;wrote:<BR /><UL><LI>is there any difference if it was a phishing link or a download link ?</LI></UL><HR /></BLOCKQUOTE><P>PA will only block (if you configure it to) emails that contain phishing, malware and c&amp;c URLs</P><P>&nbsp;</P><BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a>&nbsp;wrote:<BR /><UL><LI>I understand if user clicks the url, he will be blocked as i have url filtering from inside to outside, (my concern is if he is outside network, not using GP nd access the site, his machine/credentials will be compromised.</LI></UL><HR /></BLOCKQUOTE><P>Yes, without the firewall the users are obviously not protected by PA</P><P>&nbsp;</P><BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a>&nbsp;wrote:<BR /><UL><LI>Is there a way for making PA to check email-link reputation with DB before the email send to user, if DB doesnt categorised the URL, email should go to user as wildfire will take time.</LI></UL><HR /></BLOCKQUOTE><P>No, not yet. This is in my opinion a job for an email gateway and not for a firewall.</P><P>&nbsp;</P> Wed, 16 Jan 2019 20:25:07 GMT https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/246355#M70162 Remo 2019-01-16T20:25:07Z https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/246431#M70174 <P>Thanks vsys_remo<SPAN class="">&nbsp;for your kind support.</SPAN></P><P><SPAN class="">I am bit confused between first and Last answer, is in't it conflicting ?.</SPAN></P><P>&nbsp;</P><P><SPAN class="">Just need to know whether PA will be blocking email if email body contains malicious/Phishing URL before the email reaches the reciever. PA will know about the url if he checks url DB only right?. i understand these all are email gateways job. But feels like, because these are technically possible, may PA is doing this.</SPAN></P> Thu, 17 Jan 2019 07:04:25 GMT https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/246431#M70174 Abdul_Razaq 2019-01-17T07:04:25Z https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/246531#M70188 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a></P><P>&nbsp;</P><P>Yes, your paloalto firewall will block these emails if the URLs are known malicious/phishing URLs. Unknown ones will be forwarded to wildfire bjt the email will also be forwarded even if wildfire decides this is a phishing URL. Mainly this is because the paloalto firewall is only stream based so it does what it can (which is already a lot) without storing data on the firewall while an email gateway is working store-and-forward. So it takes the email, does all the configured checks for malware and in some cases also URL reputation checks and if everything is good, then the email will be forwarded.</P> Thu, 17 Jan 2019 19:18:43 GMT https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/246531#M70188 Remo 2019-01-17T19:18:43Z https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/246532#M70189 Thanks vsys_remo,<BR />Your knowledge is much appreciated.. Thu, 17 Jan 2019 19:39:25 GMT https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/246532#M70189 Abdul_Razaq 2019-01-17T19:39:25Z https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/255065#M72389 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;,</P><P>&nbsp;</P><P>I have couple of confusions here, could you please help.</P><P>Which database firewall will check for these URLs in email ?. is it PAN-DB ?. if yes, hope i need PAN-DB licence to have link analysis work properly.</P><P>&nbsp;</P><P>So as you mentioned, when one url previously identified as malicious is available in another mail to differenr reciever, the mail will be blocked?.</P><P>&nbsp;</P> Tue, 26 Mar 2019 13:57:52 GMT https://live.paloaltonetworks.com/t5/general-topics/email-attachment/m-p/255065#M72389 Abdul_Razaq 2019-03-26T13:57:52Z