As you can see on this forum I have some configurations problems with CP.
In the zone where I have CP enabled I have Minolta BizHub c220 device (with static IP 192.168.3.251). This device has scan to email features. After I enabled CP for this zone of course noone email go to user.
I checked almost every thread on this forum, but I didn't get solutions.
As I understand for CP we have three types of polices: security, NAT and captive portal. NAT is simple in this case, security I configured:
and Captive Portal policy:
in logs I have traffic:
NTP and DNS traffic is allowed by Security rule, thats OK
I add another security policy to allow all traffic from this zone to untrust zone. Thats doesnt working for me.
So I tryed to go further and I add CP policy that should allowed traffic on port 465, but as you can see in log - this doesn't working too
How I should configure polices in such situation?
I believe that it is possible to configure on PAN. I didint find on BizHub ability to authenticate on CP/HotSpot.
yep. Its's OK. In the meantime I changed zone name from Scholastcy to School.
I'm curious why today some of traffic are allowed when yestarday was blocked
Is it possible to let 3.251 not all traffic to port 465 but only ssl (or even better google mail)?
OK - it's working. but ... I will "sleep better" when I limit type of application to google mail.
I have idea - in security rule "Scholastycy - ksero" change application from any to gmail - in my opinion it should limited ability to connect this BizHub to gmail.
I have questions for you: are my polices set up correctly according to best practices?
Changing application to gmail-base should work and you can also use DNS name as destination in that rule for even more granular control.
To be on the safe side - I would attach more security profiles to rule "Scholastycy - DNS". But even better would be to delete that rule and set up DNS Proxy on PAN device to avoid, possible, DNS Tunneling.
>can also use DNS name as destination
so should I put there "gmail.com" ? I have very limited access to this device and I can't test this change...
If in security policy is Aplication:dns Service:aplication-defaul with anty-spyware:strict - is it still possible to make a DNS Tunneling??
so it's a time to setup DNS proxy ...
You could put there DNS name of SMTP server the device is using. What it is - I do not know.
I believe it is, under some circumstances, check: https://live.paloaltonetworks.com/message/28579
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!