This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

My SMTP rule allows a lot of other traffic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

My SMTP rule allows a lot of other traffic

ldormond
L3 Networker

‎11-11-2011 06:45 AM

Hello,

I have a specific rule that only allows SMTP application.

When looking at the traffic logs related to this rule, I see a huge amount of other packets !

Most of them are "incomplete", but I also have a lots of applications like dns, oracle, RPC and unknown-tcp.

I heard that setting service to "application-default" could resolve thus kind of issue, but as my PaloAlto SE said "You don't have to care about port and services anymore, this next-gen fireall is based on application...."

I see...

Laurent

Preview file
213 KB
0 Likes Likes
4 REPLIES 4

mharding
L4 Transporter

‎11-11-2011 12:40 PM

The incompletes I wouldn't worry about. That means the session did not complete the three-way handshake.

I still define the service (port) for all my policies. I would either set the port for app-default or port 25.

0 Likes Likes

ldormond
L3 Networker
In response to mharding

‎11-15-2011 12:16 AM

Indeed, when setting service to "application-default" it's much  better. No more heterogenous traffic. The only other traffic I get is  "incomplete".

Thanks for your help.

However I don't really understand why application signature was not sufficient in this case...

Regards,

Laurent

0 Likes Likes

licenselu
L4 Transporter

‎11-15-2011 01:49 AM

Hello Laurent,

Before being classified as SMTP traffic, TCP Three handshake must be completed (if not you see 'incomplete' in the logs).

Then, after few packets exchange, the PA is able to assign 'SMTP' protocol to the traffic flow.

If you do not use 'application-default or custom service, all traffic (on any port) match that rule...

Regards,

Hedi

0 Likes Likes

DavePalo
L4 Transporter

‎11-15-2011 05:26 AM

When allowing traffic by application (SMTP in this case), a certain amount of traffic must be 'seen' by the Palo in order for it to determine whether the traffic is indeed SMTP.

You will receive an entry in the log against this rule for every packet destined to your SMTP server IP address regardless of whether it is SMTP or not.

Only those evaluated and determined to be SMTP will be allowed through.

As others have suggested, these can be greatly reduced if you set port as application-default - if that suits your intended use.

0 Likes Likes
  • 3251 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks