While preparing for some Palo Alto Networks certifications I read something about the antivirus capabilities of blocking viruses via email by sending an SMTP response code of 541 to the sender (link). This was new for me since I thought the Palo Alto would only block IP connections (TCP RST) but not send layer 7 messages (SMTP codes). But actually, it does so by spoofing the IP address of the destination SMTP host. Cool stuff. Of course, I needed to test this. Here we go. 
Basically, I sent an email with a virus through the firewall in order to see if it blocks it.
What is Code 541?
At a first glance I was wondering about the “541” response code. I have not heard about it until now. I have not found any good resources about that on Google. There is nothing in RFC 3463 (Enhanced Mail System Status Codes). Hm. At least, here is a german site that lists this code with a description as “Recipient Address Rejected – Blacklist, Anti-Spam, Mailfilter/Firewall Block”.
Antivirus Profile with Block
The default antivirus profile has an action for smtp of “alert”. In order to block viruses, “block” must be specified:
Of course, this antivirus profile must be used in the appropriate security policy rules for the SMTP mail transfer.
EICAR Testfile sent through PA
I sent a virus (EICAR testfile) from my mail server (Postfix) to an external email address. This SMTP connection goes through the Palo Alto to my MTA (Cisco ESA). Due to the antivirus profile on the PA, this email is blocked. Following are a few listing of this behaviour:
This is the mail.log on the Postfix installation. Note line 6, the longest line, which says “status=bounced [...] 541 5.4.1 Content blocked by Palo Alto Networks Firewall”:
Aug 27 11:26:46 jw-vm10 postfix/smtpd[23809]: connect from unknown[192.168.125.10] Aug 27 11:26:47 jw-vm10 postfix/smtpd[23809]: 022F115F9BA: client=unknown[192.168.125.10] Aug 27 11:26:47 jw-vm10 postfix/cleanup[23812]: 022F115F9BA: message-id=<53FDA44D.8010902@webertest.net> Aug 27 11:26:47 jw-vm10 postfix/qmgr[25919]: 022F115F9BA: from=<johannes@webertest.net>, size=1146, nrcpt=1 (queue active) Aug 27 11:26:47 jw-vm10 postfix/smtpd[23809]: disconnect from unknown[192.168.125.10] Aug 27 11:26:48 jw-vm10 postfix/smtp[23813]: 022F115F9BA: to=<johannes@webernetz.net>, relay=2003:51:6012:124::15[2003:51:6012:124::15]:25, delay=0.83, delays=0.2/0.05/0.57/0, dsn=5.4.1, status=bounced (host 2003:51:6012:124::15[2003:51:6012:124::15] said: 541 5.4.1 Content blocked by Palo Alto Networks Firewall (in reply to end of DATA command)) Aug 27 11:26:48 jw-vm10 postfix/cleanup[23812]: 1766B16092F: message-id=<20140827092648.1766B16092F@webertest.net> Aug 27 11:26:48 jw-vm10 postfix/qmgr[25919]: 1766B16092F: from=<>, size=3117, nrcpt=1 (queue active) Aug 27 11:26:48 jw-vm10 postfix/bounce[23814]: 022F115F9BA: sender non-delivery notification: 1766B16092F Aug 27 11:26:48 jw-vm10 postfix/qmgr[25919]: 022F115F9BA: removed Aug 27 11:26:48 jw-vm10 postfix/local[23816]: 1766B16092F: to=<johannes@webertest.net>, relay=local, delay=0.37, delays=0.16/0.01/0/0.21, dsn=2.0.0, status=sent (delivered to maildir) Aug 27 11:26:48 jw-vm10 postfix/qmgr[25919]: 1766B16092F: removed
The PA threat log reveals the deny for this connection:
A packet capture on the Postfix servers also shows the SMTP 541 message as well as the TCP RST packet sent from the Palo Alto with an IP address of the real MTA:
Note that the real MTA (in my case a Cisco ESA) sees the incoming connection until it is lost due to the disruption from the Palo Alto:
The sender of the email will get a “Mail Delivery System” email with a subject of “Undelivered Mail Returned to Sender” (or the like). In my test case, this looks like that:
Links
- Palo Alto: CNSE Study Guide
- Palo Alto: Threat Prevention Deployment Tech Note