I have a specific rule that only allows SMTP application.
When looking at the traffic logs related to this rule, I see a huge amount of other packets !
Most of them are "incomplete", but I also have a lots of applications like dns, oracle, RPC and unknown-tcp.
I heard that setting service to "application-default" could resolve thus kind of issue, but as my PaloAlto SE said "You don't have to care about port and services anymore, this next-gen fireall is based on application...."
Before being classified as SMTP traffic, TCP Three handshake must be completed (if not you see 'incomplete' in the logs).
Then, after few packets exchange, the PA is able to assign 'SMTP' protocol to the traffic flow.
If you do not use 'application-default or custom service, all traffic (on any port) match that rule...
When allowing traffic by application (SMTP in this case), a certain amount of traffic must be 'seen' by the Palo in order for it to determine whether the traffic is indeed SMTP.
You will receive an entry in the log against this rule for every packet destined to your SMTP server IP address regardless of whether it is SMTP or not.
Only those evaluated and determined to be SMTP will be allowed through.
As others have suggested, these can be greatly reduced if you set port as application-default - if that suits your intended use.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!