SMTP traffic mis-classified as FTP ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SMTP traffic mis-classified as FTP ?

L3 Networker

The other day we discovered that our SMTP server was unable to send email to the silvacom.com domain.

The problem was traced to our PAN rule which allows only SMTP traffic to eminate from our email server, on the application-default port. All attempts to deliver email to this domain, however, were being seen by the PAN as FTP traffic on TCP port 25 (instead of SMTP) and were denied. (We are on PANOS v3.1.8)

The MX record for this domain references ftpmail.isogis.com (which is also their OWA and FTP server.)

Once I created another rule specifically for this destination IP which allowed our email server to just connect on port 25 using any application, email was delivered and traffic properly classified as SMTP. See screenshot of the traffic before and after this new rule was implemented.

How can this sort of mis-classification happen? Does PAN look at the DNS name of the host and determine it's FTP? It seems rather strange that it would make such a mistake for a fairly basic protocol.

3 REPLIES 3

Not applicable

My guess is that PAN would want you to submit a packet capure of the traffic to see why it would be mis-identified.

You should not need to allow FTP through port 25 to accept any SMTP traffic.

Not applicable

Hello

I have one customer experiencing the same kind of SMTP mis-classification.

SMTP traffic is classified as RSS in our case (for a specific domain and a specific mail message type)

The recommendation I gave is to allow the port with ANY as application. Not exactly perfect but a valid work around.

Cheers

Fred

At least that workaround is not worser than when using most other firewalls 😉

  • 2849 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!