- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-12-2019 05:46 AM
We unfortunately use a smtp server with fqdn. (cannot use fqdn object for certain reasons)
And we implemented a security policy with the url category in the "Service/URL Category" section of the security policy.
In the security policy, the application allowed is smtp and port allowed is 25.
When we test, the connection does not match this rule at all. We are making sure that indeed the application tirggered is smtp on port 25.
So is URL Category in Security Policy only applied when the application is web-browsing/ssl and port is 80/443 ?
BR,
RJ
03-12-2019 06:15 AM
Hi @rjdahav163 ,
Any application with a dependency on web-browsing.
Cheers !
-Kiwi.
03-12-2019 06:46 AM
Hi @kiwi
Thanks for the quick reply! But then how to solve the issue:
We want to allow smtp on port 25 only as application and destination is a url category, attached in "service/url category" of a security policy. (We are not using fqdn object because the refresh time can be minimum only 10 minutes and the server changes the ip more frequently)
So any suggestions?
BR,
RJ
03-12-2019 07:53 AM
to answer your first question "So is URL Category in Security Policy only applied when the application is web-browsing/ssl and port is 80/443 ?" i believe the answer is no. the url category can match on any port or application.
as for a possible solution to the problem; have you tried using a seperate security profile with a custom url-filtering profile that allows the category?
03-12-2019 10:09 AM
If you cannot use the fqdn, I would create an address group with all the possible IP's the fqdn resolves to and use that as the destination.
(If it changes so rapidly, I presume it's for load balancing and the number of IP's will be limited...)
03-12-2019 03:08 PM
@kiwi wrote:Hi @rjdahav163 ,
Any application with a dependency on web-browsing.
Cheers !
-Kiwi.
May I add that you can use URL categories not only for web-browsing dependent applications. Actually also for almost every TLS encrypted connection like SMTPs. So if your connection is encrypted the solution with an URL category probably works as the firewalls also checks for hostnames in the SNI extension and also the CN of a certificate in a TLS connection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!