{"id":1014,"date":"2021-01-06T11:28:38","date_gmt":"2021-01-06T17:28:38","guid":{"rendered":"http:\/\/zewwy.ca\/?p=1014"},"modified":"2021-01-06T11:28:38","modified_gmt":"2021-01-06T17:28:38","slug":"palo-alto-networks-email","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2021\/01\/06\/palo-alto-networks-email\/","title":{"rendered":"Palo Alto Networks – Email"},"content":{"rendered":"

<\/span>Story<\/span><\/h1>\n

Well back to work, so what other than another story of fun times troubleshooting what should be a super simple task. When I was hit with a delayed greyed out screen on the management UI and the subsequent error.<\/p>\n

“Unable to send email via gateway (email server IP)”<\/p>\n

<\/span>The<\/span><\/h2>\n

<\/span>Hunt<\/span><\/h2>\n

Let’s see if others have hit this problem:<\/p>\n

First ones a dead end.<\/a><\/p>\n

Second<\/a> and Third<\/a> basically state to ensure legit email addresses are applied to both to and addition to fields. My case I know the only one email to address is fine.<\/p>\n

And finally the How to By Palo Alto Networks themselves.<\/a><\/p>\n

Well that’s annoying, bascially tell you to ensure the email server is accessible but they do so from other devices cause the PA can’t even do a telnet test… uhh ok useless, I know it’s open.<\/p>\n

<\/span>Things to Know<\/span><\/h2>\n

I had contacted my buddy who specializes in PA firewalls. There are some things to note.<\/p>\n

    \n
  1. Service Routing<\/a>
    \nBy default all traffic from the firewall, will go out the MGMT interface. Unless otherwise specified. In my case I was using a Service Route for Email to use the interface that was acting as the gateway for the subnet in which the email server was residing.<\/li>\n
  2. Intrazone and Interzone Rules<\/a>
    \nBy default if traffic doesn’t hit any rule it will be dropped, watch the video by Joe Delio for greater in-depth understanding.<\/li>\n<\/ol>\n

    <\/span>The Solution<\/span><\/h2>\n

    Now even though I had a “clean up” rule as stated by Joe. I was still not seeing the traffic being blocked (and I know it was being blocked).<\/p>\n

    Once my buddy told me to override the intrazone rule and enabled logging on that rule, I was finally able to see the packets being dropped by the PAN firewall within the Traffic Logs\/Session Logs.<\/p>\n

    Sure enough it was my own mistake as I had forgot to extent an existing rule which should have had the PAN’s gateway IP within it. After I noticed this I extended the rule to allow SMTP port 25 from the PA IP (not the mgmt IP) I was able to send emails from the PAN firewall.<\/p>\n

    Hope this helps someone.<\/p>\n

    Also note I ensured a dedicated receive connector on the email server to ensure the email would be allowed to flow though.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Story Well back to work, so what other than another story of fun times troubleshooting what should be a super simple task. When I was hit with a delayed greyed out screen on the management UI and the subsequent error. “Unable to send email via gateway (email server IP)” The Hunt Let’s see if others … <\/p>\n

    Continue reading “Palo Alto Networks – Email”<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[127,8],"tags":[235,161],"class_list":["post-1014","post","type-post","status-publish","format-standard","hentry","category-palo-alto-networks","category-server-administration","tag-email","tag-pan"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1014","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1014"}],"version-history":[{"count":1,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1014\/revisions"}],"predecessor-version":[{"id":1015,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1014\/revisions\/1015"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1014"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1014"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1014"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}