Handling Google Mail (1e100.net)?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Handling Google Mail (1e100.net)?

L2 Linker

So our organization makes use of Google's cloud services as our email provider and it's a nightmare trying to control on the PA's as they don't accept wildcard's for IP's nor FQDN's.  Challenge here is Google seems to send emails (SMTP) to every **bleep** *.*.*.26 and *.*.*.27 address on the planet (1e100.net servers) and gets old coming in every day and adding more IP's to the "allow" list as they pop up (already up to 328 entries).  Anybody found a way to manage these?

1 accepted solution

Accepted Solutions

Google publishes how to retrieve the list of IP address ranges in use:

 - https://support.google.com/a/answer/60764?hl=en

 

It'd be a pain to do that manually and on a regular basis.  This is exactly what MineMeld was designed to do:  automatically download external data (such as a big list of google IP addresses), process it, and publish it in a format compatible with External Dynamic Lists:

 - https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/external-dynamic-list

 

Then your firewall policy references a single object that is continually updated by MineMeld.  No more manually adjusting that object on a regular basis.  Automate that stuff.  

  

 

 

 

 

View solution in original post

11 REPLIES 11

L7 Applicator

I wonder if this is a problem that you could solve with MineMeld (https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld).  

 

It looks like there are a couple of "google netblock" prototypes.  Maybe one of those would work, or the team behind MineMeld could provide some additional suggestions?  

 

Capture.PNG

It would be nice if Palo just added the dang functionallity of wildcards or FQDNs in the policy map. We all know that this is possible since almost every other major Firewall brand is offering it, and Palo itself is capabale when it comes to URL Filtering. I don't see any reason to have to buy MineMeld to get this to function. 

I'd recommend getting with your Palo Alto Networks SE so that they can log a vote for you in the feature request system for this.

 

MineMeld is free.  

L6 Presenter

@PeterT, asking the obvious question, why not just allow the "gmail" application?  Is there some security policy which requires the application being tied to a set of IPs?

 

Maybe you could reach out to your SE, as suggested previously, and maybe they can help get you more specifics on the guts of the application signature which could assuage your security team to not restrict to a specific set of IPs?

I've found the best way to actually manage something like this is app-id and URL Filtering. Trying to keep up with the IP addresses of different service providers (Google, Azure, AWS) is only going to get more difficult; you may try and contact Google Support and see if they will give you the IP address list itself that is associated with 1e100, they are generally pretty good at handing out that information. 

App-ID doens't work here as it's SMTP traffic and as such doesn't get identified as gmail (as that only identifies https web traffic).  URL filters will fail here as it's SMTP so irrelevant.

 

Will reach out and nag on SE but honestly never had a single issue I broached with a SE in years from any vendor ever fixed so I assume they are basically useless.  Hell I can't get bugs fixed much less feature requests.

Google publishes how to retrieve the list of IP address ranges in use:

 - https://support.google.com/a/answer/60764?hl=en

 

It'd be a pain to do that manually and on a regular basis.  This is exactly what MineMeld was designed to do:  automatically download external data (such as a big list of google IP addresses), process it, and publish it in a format compatible with External Dynamic Lists:

 - https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/external-dynamic-list

 

Then your firewall policy references a single object that is continually updated by MineMeld.  No more manually adjusting that object on a regular basis.  Automate that stuff.  

  

 

 

 

 

@jvalentine don't you need additonal licensing to run MindMeld? I thought that was the case but looking into it a little bit now I can't actually see anything that references a license for the product. 

@BPry, MineMeld is open source.  You just need to provide a host run run it on (either as a VM, in the cloud, or on bare metal).  

 

There is no licensing required to interface MineMeld to a Palo Alto Networks firewall.  The communication is done primarily via the External Dynamic List feature in PAN-OS, which is a base feature of the platform.  

@jvalentine thanks for the info! For some reason I can't remember I thought that MindMeld was a licensed product. 

Cyber Elite
Cyber Elite

Hello,

How do your clients connect to the cloud service? If its a URL, you can use a URL filter to allow to that URL and the PAN will handle the DNS lookups. Or maybe we are not understanding the topology or question, maybe a simple diagram or a snippet of the traffic logs, if you can post them might help us out?

 

Regards,

  • 1 accepted solution
  • 8316 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!