01-29-2014 08:39 AM
It used to be best practice to not allow outgoing SMTP except from the primary server. I am finding more and more applications have a dependency of allowing SMTP outgoing. I am curious what others are doing with regard to these dependencies.
Thanks,
Bob
01-29-2014 10:28 AM
Hello Bob,
Please go through this discussion once : Re: Application Dependency PAN-OS 5.0.0 more >>>>>> hope it will help you to understand How application dependencies works on PAN firewall.
Related link: Application Research Center
Thanks
01-30-2014 08:47 AM
Thanks for your suggestion, however, I am more interested in if others are letting SMTP for all of the users who's apps require it.
Bob
01-30-2014 06:40 PM
Bob,
We only allow only our smtp gateway (Hub transport) to send email outbound. We force application servers to relay off the Hub transport. We control what servers are allowed to relay by using an access control list on the hub transport. I am assuming you question is a business policy / process issue.
Hope this helps.
Phil
01-30-2014 07:12 PM
Yes that is helpful. It sounds more like I am used to in the past. I am now working at a boarding school and a number of Ipad Apps, web(ish) email programs etc., have a dependency in the PA on outgoing port 25 as well as port 587. I am fortunate that the vast majority of workstations are Apple based so realistically not as big a concern as a Windows OS.
Any additional thoughts would be appreciated,
Bob
02-01-2014 09:20 AM
you could try creating an outbound allow smtp policy and have it flagged for the application of all the popular online mail services.
If the application awareness does not extend to smtp, then you could manually determine the smtp server destinations from these services mx records. then create an outbound destination based rule that permits smtp to these services but denies it more generally.
02-04-2014 03:50 PM
BobW wrote:
Yes that is helpful. It sounds more like I am used to in the past. I am now working at a boarding school and a number of Ipad Apps, web(ish) email programs etc., have a dependency in the PA on outgoing port 25 as well as port 587. I am fortunate that the vast majority of workstations are Apple based so realistically not as big a concern as a Windows OS.
Any additional thoughts would be appreciated,
Bob
I deny it from everything except our authorised email gateway and just ignore the application dependency warnings I get every time I commit a config change.
02-05-2014 12:52 PM
You should tie the traffic down, permitting only valid outbound SMTP servers through the firewall. The issue you're facing is that your IP reputation can get tarnished by unruely clients and you'll end up on RBLs all over the place. That of course, can impede your business processes.
Cheers,
Mike
02-05-2014 05:01 PM
msullivan wrote:
You should tie the traffic down, permitting only valid outbound SMTP servers through the firewall. The issue you're facing is that your IP reputation can get tarnished by unruely clients and you'll end up on RBLs all over the place. That of course, can impede your business processes.
Cheers,
Mike
Which is exactly why I did it - some piece of i-Crap was sending email using SMTP and identifying itself as "localhost.localdomain", and I ended up in a blacklist somewhere which stopped my regular SMTP relay from working, despite it being configured correctly.
02-08-2014 11:52 AM
So what I have done is:
At least that will keep my primary IP off of any black lists.
Bob
02-08-2014 12:04 PM
Nice summary.
Using a different nat pool for the public or web browsing segments as opposed to your primary smtp or other servers is a good practice. Keeps the bot net infections from poisoning the reputation of your production traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
