01-24-2013 12:36 PM
I'm trying to figure out the best way to write a rule to allow mobile devices access to their personal email. Browser based email works fine since it's mostly on 443(or 80) which we allow out. But what about Client based email not on 80/443? For example...
-Using the iOS Exchange client to retrieve gmail or yahoo mail, it uses Secure IMAP on TCP/993. There is no App ID for Secure IMAP. There is only an App ID for IMAP on TCP/143. Because of this, I would have to write a rule to allow email based on destination port(or service). This may be a pain if there are other mail servers that use their own non-standard ports.
-Using the Android Gmail client, it uses TCP/5228. This traffic is actually identified by Palo Alto as "google-talk-base". So a rule that uses an App ID would not work since it doesn't identify it correctly.
...I did try to create a rule that allowed ALL Apps under the Subcategory of "Email", with the Service as "Application Default", but PA kept complaining about other dependent Apps like myspace-base, SSL and web-browsing. The problem with this, is now we are back to a port based type of rule(Since SSL will allow 443 and web-browsing will allow 80 in this rule. Don't necessarily want that). Which brings me back to the issue where I'll need to find out which ports different mail servers might be using, and open them up in the firewall.
In the end, we would like to be able to rely on Palo Alto's App ID to write rules, and not have to resort to the old fashioned port based rules.
