Hi there,

i just have issues in understanding how our Checkpoint NGFW handles mails sometimes. Were using the MTA function.

one of our employees received an email with the hint that sandblast has removed some contents. There are PDF files on that mail that gets missed.

I checked the firewall log. Usually i can recover the MAIL or the FILE by those IDs through the scrub send_orig commands

I found the mentioned mail with Action "Allow". Even though there is extracted content, seen in the screenshot.

Its now allowed, or not?

If i try to resend the mail through "scrub send_orig_email {mailid} all" the mail wont get received by the employee. I get the message "Original mail was sent to "employees mail" "

Where to have a further look for this now? Can i check if the Mail really is on hold? 

Thanks in Advance