Exchange Question

Reply
Highlighted
L1 Bithead

Exchange Question

I feel this may be a dumb question, but I was hoping somebody could give me clarification.

We had some issues with users receiving malware or a virus through a separate email account (ex testcompany.com), them opening it, and then it would send the email to users in their contact list, which included sending emails internally through the local exchange server.

My original thought was that we could move the exchange server directly behind the palo alto, into a "services" zone, and apply anti-virus / wildfire policies to it, to prevent malicious files from flowing internally and spamming tons of internal users.

After testing this, it does not seem that this works the way I expected. It seems that the Palo Alto doesn't recognize traffic between the end user (outlook) and the exchange server in the way I was hoping. It does not seem to inspect attachments with local email. Is there anyway to accomplish this type of security with a Palo Alto device?

(ZONE INT) <------ > (ZONE SERVICES)

Highlighted
L7 Applicator

Hello gabrielhill,

Could you please let us know, if the Exchange server is connected with an SSL connection, then you might need to implement SSL-Decryption, in order to inspect the content of the email.

Thanks

Highlighted
L1 Bithead

Thanks HULK . I am using an SSL connection. I have the certificate uploaded, and I have a SSL decryption policy as a test (just my PC and the Exchange server). I have it set to ssl-inbound-inspection. I try to send

When I try to send an .dll file to my email address, the Palo alto is not showing it in the data filtering potion, nor is it blocking this (I have a rule that should prevent these types of files from flowing through).

I have also tried taking the encryption setting off between my client and the exchange server, but it still does not block any attachments.

Highlighted
L7 Applicator

Could you please double check the session details ( from your machine and exchange server) from the CLI of the PAN firewall:

admin> show session all filter ssl-decrypt yes count yes

admin> show session all filter source x.x.x.x destination y.y.y.y  >>>>>>>>>>>>> there should be a "*" symbol which will confirm that the session is getting decrypted


366417       msrpc          ACTIVE  FLOW *  >>>>>>>>>>>>>>     


Thanks

Highlighted
L1 Bithead

HULK, show session all filter ssl-decrypt yes count yes - shows that I do have session that match this.

show session all filter source x.x.x.x destination y.y.y.y - I do not see an "*" by the msrpc or ms-exchange connection.

I have the certificate from the exchange server imported, and everything shows valid.

Is there anything I can do that could pinpoint me to the cause?

Thank you,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!