The other day we discovered that our SMTP server was unable to send email to the silvacom.com domain. The problem was traced to our PAN rule which allows only SMTP traffic to eminate from our email server, on the application-default port. All attempts to deliver email to this domain, however, were being seen by the PAN as FTP traffic on TCP port 25 (instead of SMTP) and were denied. (We are on PANOS v3.1.8) The MX record for this domain references ftpmail.isogis.com (which is also their OWA and FTP server.) Once I created another rule specifically for this destination IP which allowed our email server to just connect on port 25 using any application, email was delivered and traffic properly classified as SMTP. See screenshot of the traffic before and after this new rule was implemented. How can this sort of mis-classification happen? Does PAN look at the DNS name of the host and determine it's FTP? It seems rather strange that it would make such a mistake for a fairly basic protocol.
... View more