Rule to allow Client based email

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Rule to allow Client based email

L4 Transporter

I'm trying to figure out the best way to write a rule to allow mobile devices access to their personal email.  Browser based email works fine since it's mostly on 443(or 80) which we allow out.  But what about Client based email not on 80/443? For example...

-Using the iOS Exchange client to retrieve gmail or yahoo mail, it uses Secure IMAP on TCP/993.  There is no App ID for Secure IMAP.  There is only an App ID for IMAP on TCP/143.  Because of this, I would have to write a rule to allow email based on destination port(or service).  This may be a pain if there are other mail servers that use their own non-standard ports.

-Using the Android Gmail client, it uses TCP/5228.  This traffic is actually identified by Palo Alto as "google-talk-base".  So a rule that uses an App ID would not work since it doesn't identify it correctly.

...I did try to create a rule that allowed ALL Apps under the Subcategory of "Email", with the Service as "Application Default", but PA kept complaining about other dependent Apps like myspace-base, SSL and web-browsing.  The problem with this, is now we are back to a port based type of rule(Since SSL will allow 443 and web-browsing will allow 80 in this rule.  Don't necessarily want that).  Which brings me back to the issue where I'll need to find out which ports different mail servers might be using, and open them up in the firewall.

In the end, we would like to be able to rely on Palo Alto's App ID to write rules, and not have to resort to the old fashioned port based rules.

1 REPLY 1

L4 Transporter

Just to add to this... some app-ids have a dependency on allowing SMTP from the clients.  How are people handling this?

Thanks

Bob

  • 3639 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!