This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SMTP port 25

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SMTP port 25

Go to solution
kdasanmartino
L1 Bithead

‎04-06-2022 03:58 PM

We are progressing to moving show services to the cloud and I'm been told that port 25 is not opened or being blocked in Palo Alto.  So where do I check to find out if this is being allowed or being blocked?

Sorry this is a really basic question but I've been asked to resolve this because the regular guy has left the company..

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎04-06-2022 07:08 PM

Thank you for the post @kdasanmartino

 

if traffic is already flowing through Firewall, you can get this information from logs. Please navigate to: Monitor > Logs > Traffic, then you can use for example filter: ( port.dst eq 25)

 

If you need to test policy match, you can refer to this link: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/test-policy-rule-traffic-matches

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎04-06-2022 07:08 PM

Thank you for the post @kdasanmartino

 

if traffic is already flowing through Firewall, you can get this information from logs. Please navigate to: Monitor > Logs > Traffic, then you can use for example filter: ( port.dst eq 25)

 

If you need to test policy match, you can refer to this link: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/test-policy-rule-traffic-matches

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
kdasanmartino
L1 Bithead

‎04-07-2022 07:45 AM

Thanks for your email.  I did find that port 25 is being denied by policy.  There is a policy in place for the ip address in question but don't see anything that indicates it's not allowing port 25. 

0 Likes Likes

Go to solution
Adrian_Jensen
L6 Presenter

‎04-07-2022 01:33 PM

How is the policy in place for the IP address applied? Is this inbound or outbound does it match the expected traffic path?

 

There are many different options in the Security Policies, and many ways to set them up, but you primarily want to focus on 6 fields in your Security Policies:

  • Source Zone - The zone the arriving packets appear in assigned by physical interface (i.e. "Trust" for you internal connection, "Untrust" for your internet connection, etc.)... whatever your previous admin named them.
  • Source Address - The source IP address for the packets (could be a specific server, group, or "any" for all sources).
  • Destination Zone - The zone exiting packets go out.
  • Destination Address - The destination IP address.
  • Application - This is how the PaloAlto classifies the type of traffic being passed (you can specify things like "smtp" and have the PA automatically determine and follow appropriate ports/protocols).
  • Service - This is the specific port/protocol combination of the traffic (i.e. an object "SMTP_PORTS=TCP/25" you have defined, "any", or "application-default" where it will depend on the Application set).

You can specify any/all of those values and the PA will match the passing traffic to the most specific rule found. So if your existing policy in place is for the specific IP Address, but the Application is "web browsing", then that policy will not match the SMTP traffic and the packets will fall thru to another rule, possibly ending up at the built in "interzone-default - Deny".

 

Examples, your specifics may vary depending on block lists, country exceptions, etc.:

Name = "Allow inbound SMTP/POP/IMAP/HTTP/HTTPS to mail server"

SrcZone = Untrust

SrcAddr = any  (you can restrict to specific IPs or geolocation regions like "US)

DstZone = DMZ

DstAddr = "mail-server" (address object you have defined under objects that points at DMZ IP 192.168.1.100)

Application = smtp,pop3,imap,web-browsing

Service = application-default

Action = Allow

 

 

Name = "Allow outbound SMTP connections from servers"

SrcZone = Trust

SrcAddr = 172.16.5.36,172.20.1.59

DstZone = Untrust

DstAddr = any

Application = any

Service = SMTP_PORTS

Action = Allow

 

Name = "Block all other outbound SMTP"

SrcZone = Trust

SrcAddr = any

DstZone = Untrust

DstAddr = any

Application = any

Service = SMTP_PORTS

Action = Deny

0 Likes Likes

Go to solution
kdasanmartino
L1 Bithead

‎04-07-2022 03:30 PM

Thanks for all the good information.  My Director has ask that I do not make changes to the Palo Alto system do to the importance of the system.

 

thanks again.

0 Likes Likes
  • 1 accepted solution
  • 4724 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks