Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Email not going out

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Email not going out

L2 Linker

What is the configuration needed for a PA-500 to allow emails to go out.  We use exchange and a Cisco spam blocker using port 25. We are recieving emails fine but external emails are not being sent out.

1 accepted solution

Accepted Solutions

Hello ARP,

Does all the emails dont flow through ?

Is there any Deny log in Threat for SMTP server ?

Can you try to create policy at the top to allow smtp traffic without any profile. That will help us to narrow down issue.

Regards,

Hardik Shah

View solution in original post

15 REPLIES 15

Cyber Elite
Cyber Elite

Hi

A regular security policy allowing application smtp with application-default service ports from you exchange and/or spamblocker (depending if you have outbound mail go through the spamblocker as well) to the untrust zone should be enough to allow emails to go out.

you may need to verify if proper NAT is being applied on the outgoing connections via the traffic log or session browser

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L2 Linker

Hi,

I have a destination NAT for the cisco block so it can be reach externally.  Do I need something else?

Hi ARP,

Policy and NAT should be enough. Can you please check traffic log for outgoing mails.

Monitor > Traffic > Search with application smtp

If in traffic logs multiple packets are exchanged than its not a policy or NAT issue.

If NO, than its a policy issue.

Provide us Traffic log.

Regards,

Hardik Shah

L2 Linker

Here is the log

Hi ARP,

Please click on magnifying glass in the beginning and provide that details log.

Regards,

Hardik Shah

L2 Linker

Here it is.

Hi ARP,

I can see SMTP traffic allowed infact total 25 packets have been exchanged, hence its not a policy issue.

Moreover I can see NAT as well, Its not a NAT issue too.

Next thing you should check errors on Exchange Server. Because firewall configuration appears to be good.

Regards,

Hardik Shah

L7 Applicator

A good number of traffic is passing through the PAN firewall. So, from PAN point of view, seems to be working fine.

Thanks

Let us know for further queries.

No errors or warnings on the exchange server or Cisco Spam blocker.  When I connect the old ASA firewall back up emails go through fine.

Hello ARP,

Does all the emails dont flow through ?

Is there any Deny log in Threat for SMTP server ?

Can you try to create policy at the top to allow smtp traffic without any profile. That will help us to narrow down issue.

Regards,

Hardik Shah

L4 Transporter

Can you create a test rule to allow zones inside to outside destination address = 107.14.166.72 application = Any service = Any?

If this allows emails to go out may need evaluate what ports are being used.

L2 Linker

After evaluating what ports were being used I had to allow a few more applications.  Which also had some dependant applications.

See below.  Thanks for the help!

Hi APR,

I guess Firewall on 4.1.x image, in 5.0 or later release you don't have to add dependent application.

Regards,

Hardik Shah

  • 1 accepted solution
  • 6601 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!