Palo Alto SMTP Reset-Both in the Antivirus Policy and how to Exclude

I was once asked, what happens when SMTP gets reset/blocked, do the end users get a notification.

Setting the SMTP to reset-both, will send a code 541 to the sender if triggered.  This is a “Recipient Address Rejected – Blacklist, Anti-Spam, Mailfilter/Firewall Block” error message.  Below is an example:

pa-reset1

The event will show up in the Threat logs:
Monitor, Logs, Threat

pa-reset2

Eicar Test File can be found here:
https://www.eicar.org/86-0-Intended-use.html

pa-reset3

Antivirus Exclusions:
What if you don’t want that traffic to get blocked. You know it’s legit. Below is how you exclude. You can also do this for other security profiles. It’s almost the same way of doing it.

First you need to find the Thread ID under “Details” when you’re in the “Detailed Log View”:

In our case it’s 100000.

pa-reset4

Now while you’r in the “Antivirus Profile“, Click on the “Virus Exception” tab:
Inside the “Threat ID” box, type the number in there and click “Add”.

pa-reset5

Don’t forget to “commit” you’re changes.

More Stories
Cisco ASA “show connection” with Flags