02-20-2015 10:05 AM
I feel this may be a dumb question, but I was hoping somebody could give me clarification.
We had some issues with users receiving malware or a virus through a separate email account (ex testcompany.com), them opening it, and then it would send the email to users in their contact list, which included sending emails internally through the local exchange server.
My original thought was that we could move the exchange server directly behind the palo alto, into a "services" zone, and apply anti-virus / wildfire policies to it, to prevent malicious files from flowing internally and spamming tons of internal users.
After testing this, it does not seem that this works the way I expected. It seems that the Palo Alto doesn't recognize traffic between the end user (outlook) and the exchange server in the way I was hoping. It does not seem to inspect attachments with local email. Is there anyway to accomplish this type of security with a Palo Alto device?
(ZONE INT) <------ > (ZONE SERVICES)
02-20-2015 10:19 AM
Hello gabrielhill,
Could you please let us know, if the Exchange server is connected with an SSL connection, then you might need to implement SSL-Decryption, in order to inspect the content of the email.
Thanks
02-20-2015 11:02 AM
Thanks HULK . I am using an SSL connection. I have the certificate uploaded, and I have a SSL decryption policy as a test (just my PC and the Exchange server). I have it set to ssl-inbound-inspection. I try to send
When I try to send an .dll file to my email address, the Palo alto is not showing it in the data filtering potion, nor is it blocking this (I have a rule that should prevent these types of files from flowing through).
I have also tried taking the encryption setting off between my client and the exchange server, but it still does not block any attachments.
02-20-2015 12:39 PM
Could you please double check the session details ( from your machine and exchange server) from the CLI of the PAN firewall:
admin> show session all filter ssl-decrypt yes count yes
admin> show session all filter source x.x.x.x destination y.y.y.y >>>>>>>>>>>>> there should be a "*" symbol which will confirm that the session is getting decrypted
366417 msrpc ACTIVE FLOW * >>>>>>>>>>>>>>
Thanks
02-20-2015 09:02 PM
HULK, show session all filter ssl-decrypt yes count yes - shows that I do have session that match this.
show session all filter source x.x.x.x destination y.y.y.y - I do not see an "*" by the msrpc or ms-exchange connection.
I have the certificate from the exchange server imported, and everything shows valid.
Is there anything I can do that could pinpoint me to the cause?
Thank you,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
