email attachment

Reply
L3 Networker

email attachment

Hi community,

 

can anyone clear my following doubts.

  • I have a mail server behind my PA, i am not doing ssl for mailserver communications.
  • i have antivirus & wildfire profiles applied for inbound and outbound connections to this mail server.
  • what if i get a mail to my server having malicious url inside mail( PA allready knows it as malicious, hope othervise he send to wildfire for analysis and update PAN-DB) , will PA block email?
  • what if i have URL as attachment ( encoded as pdf and attached to email) ?,
  • will antivirus profile will check URL aswell as he checks other file type?.
  • is there any difference if it was a phishing link or a download link ?
  • i understand if user clicks the url, he will be blocked as i have url filtering from inside to outside, (my concern is if he is outside network, not using GP nd access the site, his machine/credentials will be compromised.)
  • Is there a way for making PA to check email-link reputation with DB before the email send to user, if DB doesnt categorised the URL, email should go to user as wildfire will take time.

 

Tags (1)
L7 Applicator

Re: email attachment


@Abdul_Razaq wrote:
  • What if i get a mail to my server having malicious url inside mail( PA allready knows it as malicious, hope othervise he send to wildfire for analysis and update PAN-DB) , will PA block email?

Yes, PA will block the email and if the URL is not known it will be sent to WF

 


@Abdul_Razaq wrote:
  • what if i have URL as attachment ( encoded as pdf and attached to email) ?,
  • will antivirus profile will check URL aswell as he checks other file type?.

PA will not check these URLs. It will only block the email if the attachment itself contains a virus

 


@Abdul_Razaq wrote:
  • is there any difference if it was a phishing link or a download link ?

PA will only block (if you configure it to) emails that contain phishing, malware and c&c URLs

 


@Abdul_Razaq wrote:
  • I understand if user clicks the url, he will be blocked as i have url filtering from inside to outside, (my concern is if he is outside network, not using GP nd access the site, his machine/credentials will be compromised.

Yes, without the firewall the users are obviously not protected by PA

 


@Abdul_Razaq wrote:
  • Is there a way for making PA to check email-link reputation with DB before the email send to user, if DB doesnt categorised the URL, email should go to user as wildfire will take time.

No, not yet. This is in my opinion a job for an email gateway and not for a firewall.

 

L3 Networker

Re: email attachment

Thanks vsys_remo for your kind support.

I am bit confused between first and Last answer, is in't it conflicting ?.

 

Just need to know whether PA will be blocking email if email body contains malicious/Phishing URL before the email reaches the reciever. PA will know about the url if he checks url DB only right?. i understand these all are email gateways job. But feels like, because these are technically possible, may PA is doing this.

L7 Applicator

Re: email attachment

Hi @Abdul_Razaq

 

Yes, your paloalto firewall will block these emails if the URLs are known malicious/phishing URLs. Unknown ones will be forwarded to wildfire bjt the email will also be forwarded even if wildfire decides this is a phishing URL. Mainly this is because the paloalto firewall is only stream based so it does what it can (which is already a lot) without storing data on the firewall while an email gateway is working store-and-forward. So it takes the email, does all the configured checks for malware and in some cases also URL reputation checks and if everything is good, then the email will be forwarded.

L3 Networker

Re: email attachment

Thanks vsys_remo,
Your knowledge is much appreciated..
L3 Networker

Re: email attachment

Hi @vsys_remo ,

 

I have couple of confusions here, could you please help.

Which database firewall will check for these URLs in email ?. is it PAN-DB ?. if yes, hope i need PAN-DB licence to have link analysis work properly.

 

So as you mentioned, when one url previously identified as malicious is available in another mail to differenr reciever, the mail will be blocked?.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!