My SMTP rule allows a lot of other traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

My SMTP rule allows a lot of other traffic

L3 Networker

Hello,

I have a specific rule that only allows SMTP application.

When looking at the traffic logs related to this rule, I see a huge amount of other packets !

Most of them are "incomplete", but I also have a lots of applications like dns, oracle, RPC and unknown-tcp.

I heard that setting service to "application-default" could resolve thus kind of issue, but as my PaloAlto SE said "You don't have to care about port and services anymore, this next-gen fireall is based on application...."

I see...

Laurent

4 REPLIES 4

L4 Transporter

The incompletes I wouldn't worry about. That means the session did not complete the three-way handshake.

I still define the service (port) for all my policies. I would either set the port for app-default or port 25.

Indeed, when setting service to "application-default" it's much  better. No more heterogenous traffic. The only other traffic I get is  "incomplete".

Thanks for your help.

However I don't really understand why application signature was not sufficient in this case...

Regards,

Laurent

L4 Transporter

Hello Laurent,

Before being classified as SMTP traffic, TCP Three handshake must be completed (if not you see 'incomplete' in the logs).

Then, after few packets exchange, the PA is able to assign 'SMTP' protocol to the traffic flow.

If you do not use 'application-default or custom service, all traffic (on any port) match that rule...

Regards,

Hedi

L4 Transporter

When allowing traffic by application (SMTP in this case), a certain amount of traffic must be 'seen' by the Palo in order for it to determine whether the traffic is indeed SMTP.

You will receive an entry in the log against this rule for every packet destined to your SMTP server IP address regardless of whether it is SMTP or not.

Only those evaluated and determined to be SMTP will be allowed through.

As others have suggested, these can be greatly reduced if you set port as application-default - if that suits your intended use.

  • 3691 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!