Some emails not working on iPhone behind PA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Some emails not working on iPhone behind PA

L2 Linker

I have a weird problem. I installed a VM100 connected via PPPoE to the ISP, standard NAT, DHCP configured on the LAN side.

 

Issue: unable to receive/send emails from iPhone from SOME providers using inherid IOS app:

  • Corporate email: working via IOS email app
  • iCloud email: not working via IOS email app
  • Gmail email: not working via IOS email app, but works from "Inbox" app (on the same iPhone!!)

PS: Web browsing is fine and even my SIP Trunk is working.

 

Any ideas? I have set MTU to 1480 on the WAN interface. which was my first thought... 

 

Thanks!

1 accepted solution

Accepted Solutions

L2 Linker

Turns out iCloud and gmail are using non-standard ports. I had to change the policy (Policies -> Security)  from:

- Application: application_default

.to.

- Application: any

 

I suppose I could have tweeked the application_default to allow the gmail and icloud custom ports too. That will be my next step. However, it is working with any. It looks like there was a change on 7.1:

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-Policy-behavior-change-applicati...

View solution in original post

4 REPLIES 4

L2 Linker

Turns out iCloud and gmail are using non-standard ports. I had to change the policy (Policies -> Security)  from:

- Application: application_default

.to.

- Application: any

 

I suppose I could have tweeked the application_default to allow the gmail and icloud custom ports too. That will be my next step. However, it is working with any. It looks like there was a change on 7.1:

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-Policy-behavior-change-applicati...

If you're still around, @Hwinter , I wanted to let you know that this old note saved a stranger a bunch of time in the year 2022. Thanks!

It'd be great if someone could explain to me how or why traffic that was blocked for being on a non-standard port didn't make into the Traffic log as thusly denied. Is there something I can configure to see traffic that is blocked because an app is using a non-standard port?

@LRCAIT  The default "intrazone-default" and "interzone-default" Security policies do not log by default, the interzone policy denies traffic. So if you have allow rules for an Application(s) with "application-default" Service and you do not have your own deny-everything-else Security policy, then the traffic falls thru to the "interzone-default" rule and is blocked without logging. Additionally, if you do have a deny-everything rule, but the Service in the rule is set to "application-default" (with an "any" Application) then you deny rule also won't match as the traffic may have been identified as an application that is on a non-standard port.

 

You can update these 2 built-in PaloAlto rules to log by selecting from the policy list and clicking "Override" at the bottom. Then edit to log traffic to your Log Forwarding profile.

https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best-practices/best-practice-...

 

L2 Linker

Thanks, @Adrian_Jensen. Makes perfect sense. This also explains why I kept seeing the default interzone rule hit counts increment, even though I had a deny-all interzone rule ahead of it that for logging purposes. 

  • 1 accepted solution
  • 3740 Views
  • 4 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!