09-15-2014 05:27 AM
What is the configuration needed for a PA-500 to allow emails to go out. We use exchange and a Cisco spam blocker using port 25. We are recieving emails fine but external emails are not being sent out.
09-15-2014 10:25 AM
Hello ARP,
Does all the emails dont flow through ?
Is there any Deny log in Threat for SMTP server ?
Can you try to create policy at the top to allow smtp traffic without any profile. That will help us to narrow down issue.
Regards,
Hardik Shah
09-15-2014 05:35 AM
Hi
A regular security policy allowing application smtp with application-default service ports from you exchange and/or spamblocker (depending if you have outbound mail go through the spamblocker as well) to the untrust zone should be enough to allow emails to go out.
you may need to verify if proper NAT is being applied on the outgoing connections via the traffic log or session browser
09-15-2014 05:47 AM
Hi,
I have a destination NAT for the cisco block so it can be reach externally. Do I need something else?
09-15-2014 05:50 AM
Hi ARP,
Policy and NAT should be enough. Can you please check traffic log for outgoing mails.
Monitor > Traffic > Search with application smtp
If in traffic logs multiple packets are exchanged than its not a policy or NAT issue.
If NO, than its a policy issue.
Provide us Traffic log.
Regards,
Hardik Shah
09-15-2014 06:13 AM
Hi ARP,
Please click on magnifying glass in the beginning and provide that details log.
Regards,
Hardik Shah
09-15-2014 06:27 AM
Hi ARP,
I can see SMTP traffic allowed infact total 25 packets have been exchanged, hence its not a policy issue.
Moreover I can see NAT as well, Its not a NAT issue too.
Next thing you should check errors on Exchange Server. Because firewall configuration appears to be good.
Regards,
Hardik Shah
09-15-2014 06:28 AM
A good number of traffic is passing through the PAN firewall. So, from PAN point of view, seems to be working fine.
Thanks
09-15-2014 10:07 AM
Let us know for further queries.
09-15-2014 10:21 AM
No errors or warnings on the exchange server or Cisco Spam blocker. When I connect the old ASA firewall back up emails go through fine.
09-15-2014 10:25 AM
Hello ARP,
Does all the emails dont flow through ?
Is there any Deny log in Threat for SMTP server ?
Can you try to create policy at the top to allow smtp traffic without any profile. That will help us to narrow down issue.
Regards,
Hardik Shah
09-15-2014 10:32 AM
Can you create a test rule to allow zones inside to outside destination address = 107.14.166.72 application = Any service = Any?
If this allows emails to go out may need evaluate what ports are being used.
09-17-2014 09:55 AM
After evaluating what ports were being used I had to allow a few more applications. Which also had some dependant applications.
See below. Thanks for the help!
09-17-2014 10:17 AM
Hi APR,
I guess Firewall on 4.1.x image, in 5.0 or later release you don't have to add dependent application.
Regards,
Hardik Shah
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
