Configure the SMTP Emails Policy on the SRX Series Firewall
Unlike file scanning policies where you define an action permit or action block statement, with SMTP email management the action to take is defined in the Configure > Emails > SMTP window. All other actions are defined with CLI commands as before.
Shown below is an example policy with email attachments
addressed in profile profile2
.
user@host# show services advanced-anti-malware ... policy policy1 { http { inspection-profile default_profile; # Global profile action permit; } smtp { inspection-profile profile2; # Profile2 applies to SMTP email notification { log; } } verdict-threshold 8; # Globally, a score of 8 and above indicate possible malware fallback-options { action permit; notification { log; } } default-notification { log; } whitelist-notification { log; } blacklist-notification { log; } fallback-options { action permit; # default is permit and no log. notification log; } } ...
In the above example, the email profile (profile2) looks like this:
user@host> show services advanced-anti-malware profile Advanced anti-malware inspection profile: Profile Name: profile2 version: 1443769434 disabled_file_types: { application/x-pdfa: [pdfa], application/pdf: [pdfa], application/mbox: [] }, disabled_categories: [java, script, documents, code], category_thresholds: [ { category: executable, min_size: 512, max_size: 1048576 }, { category: library, min_size: 4096, max_size: 1048576 }]
The firewall policy is similar to before. The AAMW policy is place in trust to untrust zone. .See the example below.
user@host# show security policies from-zone trust to-zone untrust { policy p1 { match { source-address any; destination-address any; application any; } then { permit { application-services { advanced-anti-malware-policy policy1; ssl-proxy { profile-name ssl-proxy1; } } } } } }
Shown below is another example, using the show services
advanced-anti-malware policy
CLI command. In this example, emails
are quarantined if their attachments are found to contain malware.
A verdict score of 8 and above indicates malware.
user@root> show services advanced-anti-malware policy policy1 Advanced-anti-malware configuration: Policy Name: policy1 Default-notification : No Log Whitelist-notification: Log Blacklist-notification: Log Fallback options: Action: permit Notification: Log Inspection-profile: profile2 Applications: HTTP Verdict-threshold: 8 Action: block Notification: Log Protocol: SMTP Verdict-threshold: 8 Action: User-Defined-in-Cloud (quarantine) Notification: Log Inspection-profile: profile2
Optionally you can configure forward and reverse proxy for server and client protection, respectively. For example, if you are using SMTPS, you may want to configure reverse proxy. For more information on configuring reverse proxy, see Configure Reverse Proxy on the SRX Series Firewall.
# show services ssl initiation { # for cloud connection profile srx_to_sky_tls_profile_name { trusted-ca sky-secintel-ca; client-certificate sky-srx-cert; } } proxy { profile ssl-client-protection { # for forward proxy root-ca ssl-inspect-ca; actions { ignore-server-auth-failure; log { all; } } } profile ssl-server-protection { # for reverse proxy server-certificate ssl-server-protection; actions { log { all; } } } }
Use the show services advanced-anti-malware statistics
CLI command to view statistical information about email management.
user@host> show services advanced-anti-malware statistics Advanced-anti-malware session statistics: Session interested: 3291750 Session ignored: 52173 Session hit blacklist: 0 Session hit whitelist: 0 Total HTTP HTTPS SMTP SMTPS Session active: 52318 0 0 52318 0 Session blocked: 0 0 0 0 0 Session permitted: 1354706 0 0 1354706 0 Advanced-anti-malware file statistics: Total HTTP HTTPS SMTP SMTPS File submission success: 83134 0 0 83134 0 File submission failure: 9679 0 0 9679 0 File submission not needed: 86104 0 0 86104 0 File verdict meets threshold: 65732 0 0 65732 0 File verdict under threshold: 16223 0 0 16223 0 File fallback blocked: 0 0 0 0 0 File fallback permitted: 4512 0 0 4512 0 File hit submission limit: 0 0 0 0 0 Advanced-anti-malware email statistics: Total SMTP SMTPS Email processed: 345794 345794 0 Email permitted: 42722 42722 0 Email tag-and-delivered: 0 0 0 Email quarantined: 9830 9830 0 Email fallback blocked: 0 0 0 Email fallback permitted: 29580 29580 0 Email hit whitelist: 0 0 0 Email hit blacklist: 0 0 0
As before, use the clear services advanced-anti-malware
statistics
CLI command to clear the above statistics when you
are troubleshooting.
For debugging purposes, you can also set SMTP trace options.
user@host# set services advanced-anti-malware traceoptions flag smtp
Before configuring the SMTP threat prevention policy, make sure you have done the following:
Define the action to take (quarantine or deliver malicious messages) and the end-user email notification in the Configure > Emails > SMTP window.
(Optional) Create a profile in the Configure > Device Profiles window to indicate which email attachment types to scan. Or, you can use the default profile.
The following steps show the minimum configuration. To configure the threat prevention policy for SMTP using the CLI: