I have a simple virtual wire installation here, just testing policies. I have a policy that is:
source: inside
destination: outside
application: any
service: application default
I attempted to connect to gmail through Outlook with IMAP and was being blocked. Logs showed application of "insufficient-data" and "incomplete" with session end reason "tcp-rst-from-server".
I then created another near-identical policy with the only difference being application is "gmail-base". I placed it above the original (see screenshot)
With this new policy added I am able to connect to gmail through Outlook with IMAP. The policies are otherwise identical. I'm now seeing application "gmail-base" and "yahoo-mail-base" in the traffic logs. If I disable the gmail-base policy I can no longer connect to any IMAP server over port 993.
I can connect to both imap.gmail.com and imap.mail.yahoo.com with the openssl client: openssl.exe s_client -connect imap.mail.yahoo.com:993 with the policy enabled.
I then made a URL Category object containing imap.gmail.com and smtp.gmail.com and added it to the service/category page on the policy that had gmail-base but was still able to connect to imap.mail.yahoo.com with the openssl client.
So, I guess I have two questions:
Why does application:any not allow IMAP but application:gmail-base does allow it?
Shouldn't the URL Category object containing only gmail domains prevent me from connecting to imap.mail.yahoo.com?
edited to add that this is a PA-220 running 8.1.13
