The other day we discovered that our SMTP server was unable to send email to the silvacom.com domain.
The problem was traced to our PAN rule which allows only SMTP traffic to eminate from our email server, on the application-default port. All attempts to deliver email to this domain, however, were being seen by the PAN as FTP traffic on TCP port 25 (instead of SMTP) and were denied. (We are on PANOS v3.1.8)
The MX record for this domain references ftpmail.isogis.com (which is also their OWA and FTP server.)
Once I created another rule specifically for this destination IP which allowed our email server to just connect on port 25 using any application, email was delivered and traffic properly classified as SMTP. See screenshot of the traffic before and after this new rule was implemented.
How can this sort of mis-classification happen? Does PAN look at the DNS name of the host and determine it's FTP? It seems rather strange that it would make such a mistake for a fairly basic protocol.
I have one customer experiencing the same kind of SMTP mis-classification.
SMTP traffic is classified as RSS in our case (for a specific domain and a specific mail message type)
The recommendation I gave is to allow the port with ANY as application. Not exactly perfect but a valid work around.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!