Home > Palo Alto, Security > How Palo Alto Wildfire and antivirus work with SMTP

How Palo Alto Wildfire and antivirus work with SMTP

Just a note on how to enable Wildfire on SMTP traffic and how it looks like on the wire.

  1. Create AV profile enabling Wildfire blocking on SMTP:

    av-profile

  2. Create data filtering profile for e-mail attachments:file-profile

  3. Then create a policy enabling these two profiles on SMTP traffic (i.e. from your Internet-facing MTA to your back-end e-mail system). In my case it’s a Linux with Sendmail-based MTA talking to Microsoft Exchange. Obviously for the whole solution to work you will need to disable SMTP TLS for this communication or do SSL-decryption on PA (which is clearly out of scope of this post).policy

This is pretty much it.

Now, the most interesting part – how it looks like on the wire:

  • Capture done on firewall “transmit” queue:

    TCP-TX

    TX

    As you can see the firewall kindly injects SMTP code 541 at layer 7 and resets the connection.

  • Capture done on firewall “receive” queue:
    TCP-RX

    (so the recipient is not honoured by a TCP reset unfortunately and it simply timeouts after 5 minutes of waiting for the transaction to complete)

  • And this is how the process is seen on the sending MTA:

    MTA

    It looks very nicely on the sender side as you can see. As a result a sender of the infected e-mail message receives a nice message from MTA quoting the 541 error produced by Palo Alto.

P.S. after going through the process myself and searching for mysterious code 541 (wasted 5 minutes struggling to find a relevant RFC (!)) I came across this nice post where another chap kindly made pretty much the same screenshots I did 🙂

Categories: Palo Alto, Security Tags: ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: