This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sajin
Contributor
‎2019-08-07 05:15 AM

SMTP over 587

One of our server is trying to access the domain "smtp.office365.com" with port 587. We configured Domain object and could see there are some intermittent drop in the firewall by the CLEAN UP RULE.

In the port 587, protocol SMTP is selected and after that we couldn't see drop but the traffic being bypassed.

Please explain by  adding the protocol why the traffic is being bypassed.

 

 

 

0 Kudos
9 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-08-07 05:27 AM

I would suggest that you should:

- Explain the first configuration including defined objects, their definition and the used rule(s)

- explain how you have changed what where for the second configuration

-. explain the differences in behavior of both configurations and what you mean with bypassed traffic ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
sajin
Contributor
‎2019-08-07 06:24 AM
In response to G_W_Albrecht

Hi,

PLz see the attachment

In the attachment,  server  needs to reach Domain Objects  with port 587 and there were drops in the logs.

As the port 587 is SMTP, we added the protocol SMTP in the corresponding port.

After that the traffic is bypassed in the logs its showing.

 

In the attachment you can understand whats going on.

 

 
 
 
Preview file
58 KB
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-08-07 07:42 AM
In response to sajin

As i do not see the drop logs i can not assume a reason for the drops - but what is meant with bypass ? I only know bypass behavior from TP, an access rule can only accept, reject or drop...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-08-07 01:09 PM
In response to G_W_Albrecht

I think the bypass action comes from applicationcontrol. SMTP on Port 587 is Encrypted SMTP. And I think the firewall is smart enough to detect the first connection on standard port 25 and then after seeing a StartTLS command moving to port 587.But doing a bypass because the connection is encrypted and can‘t be inspected without MTA on the gateway.

If you could show us more from the log we can see more needed details.

Wolfgang

0 Kudos
sajin
Contributor
‎2019-08-08 12:04 AM
In response to Wolfgang

The  drop is happening in the Final Clean UP RULE and in "fw ctl zdebug drop"it show only the clean up rule block.

Removing the Domain Object  in the rule and when giving the resolvable IP in the destination there is no drop.

So is something happening with the the Domain Object or the port 587.

0 Kudos
_Val_
Admin
Admin
‎2019-08-08 12:49 AM
In response to sajin

@sajin Much more likely, your domain object cannot be resolved on your FW. Did you check if it is there?

0 Kudos
sajin
Contributor
‎2019-08-08 01:20 AM
In response to _Val_

The drop is not happening regularly its intermittent. Among 7-10 accept packet we getting two drop packets.

Tried "fw up_execute" command and the IP is matching with the corresponding rule.

nslookup  is working from the firewall.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-08-11 06:11 PM

The drops with Domain Objects points to intermittent DNS lookup failures, as we do look it up periodically.
Recommend opening up a TAC case.
0 Kudos
yemiokubule
Explorer
‎2024-01-04 07:50 AM
In response to PhoneBoy

Hi All,

I have a similar issue, does anyone has a solution handy.

Regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events