Configure the SMTP Emails Policy on the SRX Series Firewall
Unlike file scanning policies where you define an action permit or action block statement, with SMTP email management the action to take is defined in the Configure > Emails > SMTP window. All other actions are defined with CLI commands as before.
Shown below is an example policy with email attachments addressed in profile
profile2.
show services advanced-anti-malware
...
policy policy1 {
http {
inspection-profile default_profile; # Global profile
action permit;
}
smtp {
inspection-profile profile2; # Profile2 applies to SMTP email
notification {
log;
}
}
verdict-threshold 8; # Globally, a score of 8 and above indicate possible malware
fallback-options {
action permit;
notification {
log;
}
}
default-notification {
log;
}
whitelist-notification {
log;
}
blacklist-notification {
log;
}
fallback-options {
action permit; # default is permit and no log.
notification log;
}
}
...
In the above example, the email profile (profile2) looks like this:
show services advanced-anti-malware profile
Advanced anti-malware inspection profile:
Profile Name: profile2
version: 1443769434
disabled_file_types:
{
application/x-pdfa: [pdfa],
application/pdf: [pdfa],
application/mbox: []
},
disabled_categories: [java, script, documents, code],
category_thresholds: [
{
category: executable,
min_size: 512,
max_size: 1048576
},
{
category: library,
min_size: 4096,
max_size: 1048576
}]The firewall policy is similar to before. The AAMW policy is place in trust to untrust zone. .See the example below.
show security policies from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
advanced-anti-malware-policy policy1;
ssl-proxy {
profile-name ssl-proxy1;
}
}
}
}
}
}
Shown below is another example, using the show services advanced-anti-malware
policy CLI command. In this example, emails are quarantined if their
attachments are found to contain malware. A verdict score of 8 and above indicates
malware.
show services advanced-anti-malware policy policy1
Advanced-anti-malware configuration:
Policy Name: policy1
Default-notification : No Log
Whitelist-notification: Log
Blacklist-notification: Log
Fallback options:
Action: permit
Notification: Log
Inspection-profile: profile2
Applications: HTTP
Verdict-threshold: 8
Action: block
Notification: Log
Protocol: SMTP
Verdict-threshold: 8
Action: User-Defined-in-Cloud (quarantine)
Notification: Log
Inspection-profile: profile2
Optionally you can configure forward and reverse proxy for server and client protection, respectively. For example, if you are using SMTPS, you may want to configure reverse proxy. For more information on configuring reverse proxy, see Configure Reverse Proxy on the SRX Series Firewall.
# show services ssl
initiation { # for cloud connection
profile srx_to_sky_tls_profile_name {
trusted-ca sky-secintel-ca;
client-certificate sky-srx-cert;
}
}
proxy {
profile ssl-client-protection { # for forward proxy
root-ca ssl-inspect-ca;
actions {
ignore-server-auth-failure;
log {
all;
}
}
}
profile ssl-server-protection { # for reverse proxy
server-certificate ssl-server-protection;
actions {
log {
all;
}
}
}
}
Use the show services advanced-anti-malware statistics CLI command
to view statistical information about email management.
show services advanced-anti-malware statistics
Advanced-anti-malware session statistics:
Session interested: 3291750
Session ignored: 52173
Session hit blacklist: 0
Session hit whitelist: 0
Total HTTP HTTPS SMTP SMTPS
Session active: 52318 0 0 52318 0
Session blocked: 0 0 0 0 0
Session permitted: 1354706 0 0 1354706 0
Advanced-anti-malware file statistics:
Total HTTP HTTPS SMTP SMTPS
File submission success: 83134 0 0 83134 0
File submission failure: 9679 0 0 9679 0
File submission not needed: 86104 0 0 86104 0
File verdict meets threshold: 65732 0 0 65732 0
File verdict under threshold: 16223 0 0 16223 0
File fallback blocked: 0 0 0 0 0
File fallback permitted: 4512 0 0 4512 0
File hit submission limit: 0 0 0 0 0
Advanced-anti-malware email statistics:
Total SMTP SMTPS
Email processed: 345794 345794 0
Email permitted: 42722 42722 0
Email tag-and-delivered: 0 0 0
Email quarantined: 9830 9830 0
Email fallback blocked: 0 0 0
Email fallback permitted: 29580 29580 0
Email hit whitelist: 0 0 0
Email hit blacklist: 0 0 0
As before, use the clear services advanced-anti-malware statistics
CLI command to clear the above statistics when you are troubleshooting.
Before configuring the SMTP threat prevention policy, make sure you have done the following:
-
Define the action to take (quarantine or deliver malicious messages) and the end-user email notification in the Configure > Emails > SMTP window.
-
(Optional) Create a profile in the Configure > Device Profiles window to indicate which email attachment types to scan. Or, you can use the default profile.
The following steps show the minimum configuration. To configure the threat prevention policy for SMTP using the CLI: