Handling Google Mail (1e100.net)?

Reply
L2 Linker

Handling Google Mail (1e100.net)?

So our organization makes use of Google's cloud services as our email provider and it's a nightmare trying to control on the PA's as they don't accept wildcard's for IP's nor FQDN's.  Challenge here is Google seems to send emails (SMTP) to every **bleep** *.*.*.26 and *.*.*.27 address on the planet (1e100.net servers) and gets old coming in every day and adding more IP's to the "allow" list as they pop up (already up to 328 entries).  Anybody found a way to manage these?

L7 Applicator

Re: Handling Google Mail (1e100.net)?

I wonder if this is a problem that you could solve with MineMeld (https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld).  

 

It looks like there are a couple of "google netblock" prototypes.  Maybe one of those would work, or the team behind MineMeld could provide some additional suggestions?  

 

Capture.PNG

Highlighted
L7 Applicator

Re: Handling Google Mail (1e100.net)?

It would be nice if Palo just added the dang functionallity of wildcards or FQDNs in the policy map. We all know that this is possible since almost every other major Firewall brand is offering it, and Palo itself is capabale when it comes to URL Filtering. I don't see any reason to have to buy MineMeld to get this to function. 

L7 Applicator

Re: Handling Google Mail (1e100.net)?

I'd recommend getting with your Palo Alto Networks SE so that they can log a vote for you in the feature request system for this.

 

MineMeld is free.  

L6 Presenter

Re: Handling Google Mail (1e100.net)?

@PeterT, asking the obvious question, why not just allow the "gmail" application?  Is there some security policy which requires the application being tied to a set of IPs?

 

Maybe you could reach out to your SE, as suggested previously, and maybe they can help get you more specifics on the guts of the application signature which could assuage your security team to not restrict to a specific set of IPs?

L7 Applicator

Re: Handling Google Mail (1e100.net)?

I've found the best way to actually manage something like this is app-id and URL Filtering. Trying to keep up with the IP addresses of different service providers (Google, Azure, AWS) is only going to get more difficult; you may try and contact Google Support and see if they will give you the IP address list itself that is associated with 1e100, they are generally pretty good at handing out that information. 

L2 Linker

Re: Handling Google Mail (1e100.net)?

App-ID doens't work here as it's SMTP traffic and as such doesn't get identified as gmail (as that only identifies https web traffic).  URL filters will fail here as it's SMTP so irrelevant.

 

Will reach out and nag on SE but honestly never had a single issue I broached with a SE in years from any vendor ever fixed so I assume they are basically useless.  Hell I can't get bugs fixed much less feature requests.

L7 Applicator

Re: Handling Google Mail (1e100.net)?

Google publishes how to retrieve the list of IP address ranges in use:

 - https://support.google.com/a/answer/60764?hl=en

 

It'd be a pain to do that manually and on a regular basis.  This is exactly what MineMeld was designed to do:  automatically download external data (such as a big list of google IP addresses), process it, and publish it in a format compatible with External Dynamic Lists:

 - https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/external-dynamic-list

 

Then your firewall policy references a single object that is continually updated by MineMeld.  No more manually adjusting that object on a regular basis.  Automate that stuff.  

  

 

 

 

 

L7 Applicator

Re: Handling Google Mail (1e100.net)?

@jvalentine don't you need additonal licensing to run MindMeld? I thought that was the case but looking into it a little bit now I can't actually see anything that references a license for the product. 

L7 Applicator

Re: Handling Google Mail (1e100.net)?

@BPry, MineMeld is open source.  You just need to provide a host run run it on (either as a VM, in the cloud, or on bare metal).  

 

There is no licensing required to interface MineMeld to a Palo Alto Networks firewall.  The communication is done primarily via the External Dynamic List feature in PAN-OS, which is a base feature of the platform.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!