Add rule for email clients (POP and IMAP)
Email clients (POP and IMAP) rule is used to protect mail servers which are hosted publicly (WAN). This page describes how to configure a protection rule and control access of mail servers using application template - Email clients.
Note
If you delete email clients rule, the emails which are under process by this rule will be queued but will not be delivered.
We recommend to follow below given steps so that you do not lose all the emails processed by this rule:
- Before deleting this rule, clone this rule by choosing Clone above option and change the Action to Drop. This cloned rule will hold all the incoming emails.
- Go to Email > Mail spool and check if spool is empty.
- Once the spool is empty, delete both the firewall rules.
- Go to Firewall and select between IPv4 or IPv6, using the default filter.
- Now, click +Add firewall rule and select Business application rule.
-
Specify the general rule details.
- Application template
- Select Email clients (POP & IMAP) to define a application filter policy for POP and IMAP based email clients.
- Description
- Specify the rule description.
- Rule position
- Specify the position of the rule.
- Available options:
- Top
- Bottom
- Rule group
- Specify the rule group to add the firewall rule to. You can also create a new rule group by using Create new from the list.
- If you select Automatic, the firewall rule will be added to an existing group based on first match with rule type and source-destination zones.
- Rule name
- Specify a name to identify the rule.
-
Specify Source details.
- Zone
- Select the allowed source zone(s).
- Networks
- Select the allowed source network(s) . A new network host can be created directly from this page or from the Hosts and services > IP host page.
-
Specify Destination details.
- Zone
- Select the zone to which the rule applies.
- Networks
- Select the network(s) to be protected.
- A new network host can be created directly from this page or from the Hosts and services > IP host page.
-
Specify Identity details.
- Match rule based on user identity
- Click to enable a rule based on the user identity.
- Show captive portal to unknown users
- Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can sign in to access the internet.
- Clear the check box to drop traffic from unknown users.
- User or groups (only available if Match rule based on user identity is enabled)
- Select the user(s) or group(s) from the list of available options.
- Exclude this user activity from data accounting (only available if Match rule based on user identity is enabled)
- Click to enable/disable user traffic activity from data accounting.
- By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic from user data accounting. The traffic allowed through this rule will not be accounted towards data transfer for the user.
-
Specify Malware scanning details.
- Scan IMAP/IMAPS/POP3/POP3S/SMTP/SMTPS
- Click to enable/disable scanning of IMAP/IMAPS/POP3/POP3S/SMTP/SMTPS traffic.
-
Specify advanced settings.
-
Specify Policies for business applications.
- Intrusion prevention
- Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from the Intrusion prevention > IPS policies page.
- Traffic shaping (not available if Match rule based on user identity is selected)
- Select a traffic shaping policy for the rule.
- A traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
- A new traffic shaping policy can be created directly from this page or from the Profiles > Traffic shaping page.
-
SpecifySecurity Heartbeat settings (only available if
IPv4 is selected).
- Minimum source HB permitted
- Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
- Block clients with no heartbeat
- Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
- Based on that information, you can restrict a source device’s access to certain services and networks.
- Enable/disable the option to require the sending of heartbeats.
- Minimum destination HB permitted (not available if the only Destination zone selected is WAN)
- Select a minimum health status that a destination device
must have to conform to this rule. Health status can be
either Green,
Yellow or No
restriction. If the health criterion is not
met, access and privileges defined in this policy will not
be granted to the user.Note You can use the option if you have selected multiple zones along with WAN.
- Block request to destination with no heartbeat (Not available if the only Destination zone selected is WAN)
- Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
- Based on that information, you can block requests to
destinations not sending heartbeat. Enable/disable the option to require the sending of heartbeats.Note You can use the option if you have selected multiple zones along with WAN.
-
Specify Routing details.
- Rewrite source address (Masquerading)
- Enable/disable to re-write the source address or specify a NAT policy.
- Use gateway-specific default NAT policy (only if Masquerading is selected)
- Select to override the default NAT policy with a gateway specific policy.
- Override default NAT policy for specific gateway (only if Use gateway-specific default NAT policy is selected)
- Select to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.
- Use outbound address (only available if Rewrite source address is enabled and Use gateway-specific default NAT policy is disabled)
- Select the NAT policy to be applied the list or available NAT policies.
- A new NAT policy can be created directly from this page or from the Profiles > Network address translation page.
- The default NAT policy is Masquerade.
MASQ (interface default IP)
- IP address of the destination zone as configured in Network > Interfaces will be displayed instead of (interface default IP) when single Destination zone is selected.
- (Interface default IP) will be displayed when multiple Destination zones are selected.
- Primary gateway
- Select the primary gateway to route the request. You can
create new gateway from this page itself or from Routing > Gateways.Note On deletion of the gateway, Primary gateway will display WAN link load balance for WAN destination zone and None for other zones. In such case, firewall rule will not make routing decisions.
- Backup gateway
- Select the backup gateway to route the request. You can
create new gateway from this page itself or from Routing > Gateways.Note On deletion of the gateway, Backup gateway will display None.
-
Specify Policies for business applications.
-
Specify logging option for the user application traffic.
- Log firewall traffic
- Click to enable logging of permitted and denied traffic.