gmail-base without smtp, pop3, imap applications

Reply
Highlighted
L1 Bithead

gmail-base without smtp, pop3, imap applications

Hello,

I don't really get the application dependency. I had a case at my customer. They asked me to allow gmail-base application, so I made security policy. But when I committed the settings a popup appeared that told me that additional applications should be allowed.

Like smtp, imap, pop3, ssl. But I don't want to allow them. How can I do this?

thanks

L1 Bithead

Re: gmail-base without smtp, pop3, imap applications

The only way is to paste a Deny rule that drops all smtp, imap, and pop3. Is that right?

prb
L3 Networker

Re: gmail-base without smtp, pop3, imap applications

Yes you can go ahead and configure a deny rule to drop smtp, imap, and pop3.

You don't need them normally for gmail-base, unless you have a specific requirement.

L7 Applicator

Re: gmail-base without smtp, pop3, imap applications

Hello RudTor,

There is different way to access gmail.

1. Through a web-browser.

2. Through imap, smtp, pop3 mail client ( Example-microsoft outlook)

To access through browser, only ssl ( for https://gmail.com --- port 443) and web-browsing ( http://gmail.com----port 80) will be enough as a dependent application. Need not to allow all dependent applications unless you are using it.


Explain your customer, if he only wants to access gmail through a browser, then he can allow SSL and web-browsing application along with gmail-base. He can safely ignore the dependency warning for smtp, pop3 and imap. :smileyhappy:

gmail-applepedia.JPG.jpg

Here is an example, while i am accessing https://gmail.com through a browser.

gmail-traffic-log.JPG.jpg

Hope this helps.

Thanks

L1 Bithead

Re: gmail-base without smtp, pop3, imap applications

Hello Hulk,

thank you. But if I make a security policy to allow only web-browsing and ssl, the gmail-base will be dropped. And if I add to this policy gmail-base,  a dependency warning appears by commit.

L7 Applicator

Re: gmail-base without smtp, pop3, imap applications

Hello RudTor,

This is expected. If you make a security policy to allow only web-browsing and ssl, then gmail-base traffic will be dropped. Once you will add Application=gmail-base on that security policy, you can safely ignore the dependency warning for smtp, pop3 and imap.

Thanks

L1 Bithead

Re: gmail-base without smtp, pop3, imap applications

thank you Hulk.

Ok, but after I add the gmail-base application without the other applications smtp, imap, pop3, I will get the warning every time I make the commit ?

Thanks

L7 Applicator

Re: gmail-base without smtp, pop3, imap applications

Hello RudTor


Could you please let me know  the PAN-OS and Application database  version running on your device. I am using PAN OS 6.0.1 and not getting any warning, even if i have only gmail-base and ssl application added into the policy. ( As per my knowledge, 5.0.x onwards the warning message will not appear during commit)


FYI:


test-1.JPG.jpg


Thanks

L1 Bithead

Re: gmail-base without smtp, pop3, imap applications

Hello,

Its PANOS 6.0.1.

paloaltoFW.jpg

paloaltoFW_Warning.jpg

L1 Bithead

Re: gmail-base without smtp, pop3, imap applications

Hulk,

I think that you don't get any warning because of your rule nr.2 where you are allow any to any

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!