Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
09-24-2014 03:43 PM
I feel silly asking this - wouldn't you want a deny on any decoder where a virus is detected rather than allowing the traffic and just throwing an alert?
10-21-2014 08:39 AM
Hello mrsoldner,
I was able to confirm couple of things.
- mrsoldner hitting Bug# 57763
- workaround is to define explicit "alert" instead of "default(alert)" for WF Action
- permanent fix is in PanOS 5.0.10
Regards,
David
03-31-2015 07:04 AM
Hey
Some more information on why default action is set to alert for POP3, IMAP and SMTP instead of block.
* POP3/IMAP + block -> A virus mail will be blocked. BUT: You can not get a new email from this server until the virus email is deleted from the server. Because the whole POP3 session will be dropped each time you retry to retrieve you emails, since emails are not send separately with this protocol.
* SMTP + block -> An SMTP 541 error message will be sent as part of the block action when a virus is detected. This will tell the mail server not to retry sending the message, allowing the firewall to drop the mail without the mail server trying to resend it. So I don't realy see why the default action would be just alert. I guess some smtp servers will not listen to these 541 error messages and keep resending the email...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
