Palo Alto SMTP Reset-Both in the Antivirus Policy and how to Exclude
I was once asked, what happens when SMTP gets reset/blocked, do the end users get a notification.
Setting the SMTP to reset-both, will send a code 541 to the sender if triggered. This is a “Recipient Address Rejected – Blacklist, Anti-Spam, Mailfilter/Firewall Block” error message. Below is an example:
The event will show up in the Threat logs: Monitor, Logs, Threat
Eicar Test File can be found here:
What if you don’t want that traffic to get blocked. You know it’s legit. Below is how you exclude. You can also do this for other security profiles. It’s almost the same way of doing it.
First you need to find the Thread ID under “Details” when you’re in the “Detailed Log View”:
In our case it’s 100000.
Now while you’r in the “Antivirus Profile“, Click on the “Virus Exception” tab:
Inside the “Threat ID” box, type the number in there and click “Add”.