04-06-2022 03:58 PM
We are progressing to moving show services to the cloud and I'm been told that port 25 is not opened or being blocked in Palo Alto. So where do I check to find out if this is being allowed or being blocked?
Sorry this is a really basic question but I've been asked to resolve this because the regular guy has left the company..
04-06-2022 07:08 PM
Thank you for the post @kdasanmartino
if traffic is already flowing through Firewall, you can get this information from logs. Please navigate to: Monitor > Logs > Traffic, then you can use for example filter: ( port.dst eq 25)
If you need to test policy match, you can refer to this link: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/test-policy-rule-traffic-matches
Kind Regards
Pavel
04-06-2022 07:08 PM
Thank you for the post @kdasanmartino
if traffic is already flowing through Firewall, you can get this information from logs. Please navigate to: Monitor > Logs > Traffic, then you can use for example filter: ( port.dst eq 25)
If you need to test policy match, you can refer to this link: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/test-policy-rule-traffic-matches
Kind Regards
Pavel
04-07-2022 07:45 AM
Thanks for your email. I did find that port 25 is being denied by policy. There is a policy in place for the ip address in question but don't see anything that indicates it's not allowing port 25.
04-07-2022 01:33 PM
How is the policy in place for the IP address applied? Is this inbound or outbound does it match the expected traffic path?
There are many different options in the Security Policies, and many ways to set them up, but you primarily want to focus on 6 fields in your Security Policies:
You can specify any/all of those values and the PA will match the passing traffic to the most specific rule found. So if your existing policy in place is for the specific IP Address, but the Application is "web browsing", then that policy will not match the SMTP traffic and the packets will fall thru to another rule, possibly ending up at the built in "interzone-default - Deny".
Examples, your specifics may vary depending on block lists, country exceptions, etc.:
Name = "Allow inbound SMTP/POP/IMAP/HTTP/HTTPS to mail server"
SrcZone = Untrust
SrcAddr = any (you can restrict to specific IPs or geolocation regions like "US)
DstZone = DMZ
DstAddr = "mail-server" (address object you have defined under objects that points at DMZ IP 192.168.1.100)
Application = smtp,pop3,imap,web-browsing
Service = application-default
Action = Allow
Name = "Allow outbound SMTP connections from servers"
SrcZone = Trust
SrcAddr = 172.16.5.36,172.20.1.59
DstZone = Untrust
DstAddr = any
Application = any
Service = SMTP_PORTS
Action = Allow
Name = "Block all other outbound SMTP"
SrcZone = Trust
SrcAddr = any
DstZone = Untrust
DstAddr = any
Application = any
Service = SMTP_PORTS
Action = Deny
04-07-2022 03:30 PM
Thanks for all the good information. My Director has ask that I do not make changes to the Palo Alto system do to the importance of the system.
thanks again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
