GMAIL Base and SMTP - WTF??

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GMAIL Base and SMTP - WTF??

L4 Transporter

Folks.

The latest content update (pushed today, my time) gave me the following warning in the task when I installed it

VSYS1: Rule 'Outbound_Traffic' application dependency warning: Application 'gmail-base' requires 'smtp' to be allowed, but 'smtp' is denied by rule 'Outbound_Bad'

WTF? Since when does GMail require SMTP? The local installations don't use SMTP - they connect to GMail over HTTP/HTPS, and the GMail back-end servers do the SMTP stuff. Why does Palo Alto now think GMail requires SMTP? I should add that I have checked the release notes for this content release and they mention *nothing* about there being a change to the gmail-base app signature.

I'm not allowing SMTP outbound from everything, because the idiots who run crap like iJunk get my outbound address into blackholes by using misconfigured junk which identifies itself as "localhost.localdomain" in the SMTP EHLO sessions - yet I need GMail for regular use.

Anyone know what the hell is going on here? Impressed I am not.

Cheers

1 accepted solution

Accepted Solutions

L4 Transporter

Well, got my answer back from PA support.

Apparently, this was done to make some crApple device work properly, no doubt it broke as part of the on-going wars between Google and Apple.

From the last reply

===

To clarify further, Bug 52402 has already been filed with the category of resolved.

The reason for this dependency is that when using gmail on iPhone, the traffic goes out through smtp. After some live tests, it was decided to add smtp as the dependency app. Since this change is minor (no signature change but app definition change only), our release note generation script didn't automatically pick this up properly by adding gmail in the modified app release note section.

We will work with QA to make sure this shouldn't happen again in the future!

===


So I re-applied the update (which crashed the management plane, but that's maybe because of the quick upgrade/rollback I did in the first place), got the same warning - but web-based Gmail still works.


So now, I get a bloody warning every time I commit a policy change. Yay.

View solution in original post

20 REPLIES 20

L6 Presenter

I see the same behavior in my lab device too. I did not see anything mentioned in the release notes stating that any changes are made to application "gmail". This looks like a bug, please open a ticket with support for a resolution.

I already have.

Yet another Palo Alto QA failure right here, boys and girls.

I find your lack of Quality....disturbing.

Can I ask for the case number that was opened for this issue?

No, because they haven't given me one yet.

The joys of partner support.

Are you from Palo Alto, or do you just want to reference it for your own case?

L4 Transporter

When using clients to access Gmail, the outgoing mail server is smtp.gmail.com and this uses SMTP over SSL or StartTLS. This traffic will be identifed as smtp when using StartTLS or when the SSL session is decrypted.

https://support.google.com/mail/answer/13287?hl=en

He directly addressed this in his original description of the question... he's not using actual clients, he's using strictly web-based Gmail:

The local installations don't use SMTP - they connect to GMail over HTTP/HTPS, and the GMail back-end servers do the SMTP stuff. Why does Palo Alto now think GMail requires SMTP? I should add that I have checked the release notes for this content release and they mention *nothing* about there being a change to the gmail-base app signature.

The warning message identifies application dependencies for all potential app usage scenarios. If your particular scenario does not need the dependency, you can ignore the warning.

If that's the case, why have I *never* seen this warning before the last content package pushed to my device (375-1810).

I have not changed my rulebase. I have not changed my filtering parameters. I have been manually installing content updates since day dot (I have been bitten with automatic upgrades before, and I refuse to allow them to install automatically), and I have never once seen this warning on content install.

There was no mention of this change in the release notes. There's no comment anywhere that I can find from Palo Alto which says, or has said, that SMTP is a requirement. The previous application definition release has NO mention of SMTP being a dependency in the gmail app, or in any of its sub-apps.

I don't believe that SMTP is required at all for the Gmail web app - indeed, I've never seen a single packet going to Gmail which is identified as "SMTP" by the Palo Alto.

So for Palo Alto to suddenly push an app content release which links SMTP to Gmail without notice is a fail on their part, plain and simple.

That change was done in content version 375 and I definitely agree with you that it should have been listed in the content release notes. We are investigating why it missed the release notes and will try to prevent it in the future.

L4 Transporter

Well, got my answer back from PA support.

Apparently, this was done to make some crApple device work properly, no doubt it broke as part of the on-going wars between Google and Apple.

From the last reply

===

To clarify further, Bug 52402 has already been filed with the category of resolved.

The reason for this dependency is that when using gmail on iPhone, the traffic goes out through smtp. After some live tests, it was decided to add smtp as the dependency app. Since this change is minor (no signature change but app definition change only), our release note generation script didn't automatically pick this up properly by adding gmail in the modified app release note section.

We will work with QA to make sure this shouldn't happen again in the future!

===


So I re-applied the update (which crashed the management plane, but that's maybe because of the quick upgrade/rollback I did in the first place), got the same warning - but web-based Gmail still works.


So now, I get a bloody warning every time I commit a policy change. Yay.

It'd be nice if maybe a rule had a "don't warn me about dependencies" checkbox or something... I run into this every day too, because I don't have IPsec turned on for my GlobalProtect rule. I don't ever want to use IPSec... I only want to use SSL based VPN.

You're preaching to the converted, my friend.

v5 removes all the app dependency warnings.  Any required dependencies are included in the app. 

Really? So how come I still get the following every time I commit a config change?

VSYS1

     vsys1: Rule 'Outbound_Traffic' application dependency warning:

     Application 'gmail-base' requires 'smtp' be allowed, but 'smtp' is denied in Rule 'Outbound_Bad'

     Application 'gmail-base' requires 'smtp' be allowed, but 'smtp' is denied in Rule 'Outbound_Bad'

     Application 'gmail-base' requires 'smtp' be allowed, but 'smtp' is denied in Rule 'Outbound_Bad'

     Application 'gmail-base' requires 'smtp' be allowed, but 'smtp' is denied in Rule 'Outbound_Bad'

     Application 'gmail-base' requires 'smtp' be allowed, but 'smtp' is denied in Rule 'Outbound_Bad'

     Application 'gmail-base' requires 'smtp' be allowed, but 'smtp' is denied in Rule 'Outbound_Bad'

  • 1 accepted solution
  • 11324 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!