Action on a vulnerabilty found in a SMTP flow

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Action on a vulnerabilty found in a SMTP flow

L1 Bithead

Hello,

 

How to configure the PA firewall to return a SMTP 541 when vulnerability is seen in a SMTP flow ? I have managed to do it with the AV protection but not with the vulnerability protection.

 

Cedric

2 accepted solutions

Accepted Solutions

Community Team Member

Hi @Cedricd,

 

This should help you out :

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Complete-Action-List-in-Profi...

 

Cheers !

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

Community Team Member

Hi @aroos_dts , @Cedricd,

 

I might have mixed up virus/vulnerability in my previous comment 😕

 

It actually depends if the email is identified as virus or as vulnerability.

Note that in Antivirus profile you have an SMTP decoder (you don't have this decoder in Vulnerability profiles).  

The article posted earlier does mention that it only applies to the SMTP decoder.

 

With the correct action of "reset-both" in the SMTP decoder you will get the 541 response.

However, in the vulnerability profile, there is no such thing as an SMTP decoder so you will get a TCP reset.

 

The good news is that there is already a feature request to add this functionality to Vulnerability profiles (FR #6548).   You can reach out to your local SE and ask him to add your vote to this feature.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

8 REPLIES 8

Community Team Member

Hi @Cedricd,

 

This should help you out :

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Complete-Action-List-in-Profi...

 

Cheers !

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks @kiwi

 

From what I see, starting from 7.0, I will be able to use 'reset both' for vulnerabilty and if it is SMTP, it will send a SMTP 541 ?

 

Currently, I am using 6.1 and it is only working like that for AV protection.

Community Team Member

Hi @Cedricd,

 

Yes, that is correct.

 

Cheers !

-Kim.

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi kiwi,

 

is it possible that this does not work if there is a vulnerability found inside an attachment?

 

For example I have emails arriving with office documents where a threat (Microsoft Office Memory Corruption Vulnerability (id 38859)) is found inside the office document and the corresponding email gateway does not receive a smtp error 541 but gets the connection cancelled via tcp reset and retries and retries to deliver the email to the backend server. The email gateway itself states smtp error 442 Bad Connection.

 

We are on PAN-OS 7.1 so according to the https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Complete-Action-List-in-Profi... the firewall should send smtp error 541

 

Best regards

Alex

That's exactly my problem with PAN-OS 6.1. I was hoping 7.1 solved that issue but it looks like it is not the case ?

Community Team Member

Hi @aroos_dts , @Cedricd,

 

I might have mixed up virus/vulnerability in my previous comment 😕

 

It actually depends if the email is identified as virus or as vulnerability.

Note that in Antivirus profile you have an SMTP decoder (you don't have this decoder in Vulnerability profiles).  

The article posted earlier does mention that it only applies to the SMTP decoder.

 

With the correct action of "reset-both" in the SMTP decoder you will get the 541 response.

However, in the vulnerability profile, there is no such thing as an SMTP decoder so you will get a TCP reset.

 

The good news is that there is already a feature request to add this functionality to Vulnerability profiles (FR #6548).   You can reach out to your local SE and ask him to add your vote to this feature.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi,

 

thanks for your fast response! So we hope that this will be implemented some day 🙂

 

Best regards

Alex

L1 Bithead

I've just come across this very issue.  Kind of a pain.  Any update on the feature request?

  • 2 accepted solutions
  • 6513 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!