SMTP port 25

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SMTP port 25

L1 Bithead

We are progressing to moving show services to the cloud and I'm been told that port 25 is not opened or being blocked in Palo Alto.  So where do I check to find out if this is being allowed or being blocked?

Sorry this is a really basic question but I've been asked to resolve this because the regular guy has left the company..

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Thank you for the post @kdasanmartino

 

if traffic is already flowing through Firewall, you can get this information from logs. Please navigate to: Monitor > Logs > Traffic, then you can use for example filter: ( port.dst eq 25)

 

If you need to test policy match, you can refer to this link: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/test-policy-rule-traffic-matches

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Thank you for the post @kdasanmartino

 

if traffic is already flowing through Firewall, you can get this information from logs. Please navigate to: Monitor > Logs > Traffic, then you can use for example filter: ( port.dst eq 25)

 

If you need to test policy match, you can refer to this link: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/test-policy-rule-traffic-matches

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Thanks for your email.  I did find that port 25 is being denied by policy.  There is a policy in place for the ip address in question but don't see anything that indicates it's not allowing port 25. 

L6 Presenter

How is the policy in place for the IP address applied? Is this inbound or outbound does it match the expected traffic path?

 

There are many different options in the Security Policies, and many ways to set them up, but you primarily want to focus on 6 fields in your Security Policies:

  • Source Zone - The zone the arriving packets appear in assigned by physical interface (i.e. "Trust" for you internal connection, "Untrust" for your internet connection, etc.)... whatever your previous admin named them.
  • Source Address - The source IP address for the packets (could be a specific server, group, or "any" for all sources).
  • Destination Zone - The zone exiting packets go out.
  • Destination Address - The destination IP address.
  • Application - This is how the PaloAlto classifies the type of traffic being passed (you can specify things like "smtp" and have the PA automatically determine and follow appropriate ports/protocols).
  • Service - This is the specific port/protocol combination of the traffic (i.e. an object "SMTP_PORTS=TCP/25" you have defined, "any", or "application-default" where it will depend on the Application set).

You can specify any/all of those values and the PA will match the passing traffic to the most specific rule found. So if your existing policy in place is for the specific IP Address, but the Application is "web browsing", then that policy will not match the SMTP traffic and the packets will fall thru to another rule, possibly ending up at the built in "interzone-default - Deny".

 

Examples, your specifics may vary depending on block lists, country exceptions, etc.:

Name = "Allow inbound SMTP/POP/IMAP/HTTP/HTTPS to mail server"

SrcZone = Untrust

SrcAddr = any  (you can restrict to specific IPs or geolocation regions like "US)

DstZone = DMZ

DstAddr = "mail-server" (address object you have defined under objects that points at DMZ IP 192.168.1.100)

Application = smtp,pop3,imap,web-browsing

Service = application-default

Action = Allow

 

 

Name = "Allow outbound SMTP connections from servers"

SrcZone = Trust

SrcAddr = 172.16.5.36,172.20.1.59

DstZone = Untrust

DstAddr = any

Application = any

Service = SMTP_PORTS

Action = Allow

 

Name = "Block all other outbound SMTP"

SrcZone = Trust

SrcAddr = any

DstZone = Untrust

DstAddr = any

Application = any

Service = SMTP_PORTS

Action = Deny

L1 Bithead

Thanks for all the good information.  My Director has ask that I do not make changes to the Palo Alto system do to the importance of the system.

 

thanks again.

  • 1 accepted solution
  • 6279 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!