For a device with low hardware resources, the best approach to this goal is as follows.

If an Application Security Profile is not used for all traffic to the internet, create a separate policy above the internet policy to implement the application restriction.

This recommended procedure can be applied together with the steps taken in this article.

1. First procedure to block receive email from the application

Add a Deny Policy defining the services to block. For example:

Image 1

Alternatively, use the following command line configuration:

config firewall policy

edit 2

set name "Block-mail-port"

set srcintf "port3"

set dstintf "port2"

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "POP3S" "IMAP" "IMAPS" "POP3" "SMTP" "SMTPS"

set logtraffic all

set comments "Block email application ports"

next

end

2. Second procedure to block receive email from the application

This procedure will block a webmail application signature. It is necessary to select from a list on the Application Security Profile and associate it with a policy.

2.1 Create an Application Security Profile

As per the image below, follow these steps:

1. Go to Security Profiles -> Application Control -> Create New.
2. Define a name i. e. 'block e-mail'.
3. Create New Application and filter Overrides.
4. Click on the filter icon on the Category Column title.
5. Choose the Email.
6. Add All Results (a green check will show on the left of all Application Signatures).
7. Select OK to create it.

Image 2

Alternatively, use the following command line configuration:

config application list

edit "block e-mail"

set other-application-log enable

config entries

edit 1

set application 29025 16554 15819 24256 1596228125 36136 24703 16018 16405 15851 15817 16170 38726 38725 41703 41694 16167

16478 16103 27783 152305671 16528 36237 17354 17458 27209 35799 35801 36171 15816 16162 28247 38690 36055

25076 36222 41660 15837 25562 24727 32442 24747 38709 38708 41702 41701 16104 27561 152305670 36536 15969

36854 32242 38386 27505 17209 16074 27559 152305669 28992 29265 28991 16919 15815 16025 24284 24888 24767

41678 16487 34397 15839 39077 16169 38522 38521 41691 41689 28106 35828 16486 17693 34499

next

end

end

2.2 Create a Policy to apply the Application Profile created

For this specific case, deep-inspection is not necessary.

Image3

Command line alternative to have the same configuration:

config firewall policy

edit 3

set name "app-mail-block"

set uuid 9dbecd32-66b1-51ee-702a-fdf8fa6c4d57

set srcintf "port3"

set dstintf "port2"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set ssl-ssh-profile "certificate-inspection"

set application-list "block e-mail"

set logtraffic all

set nat enable

next

end

P.S. It is recommended to substitute the srcaddr from the policy to be restricted to the internal LAN instead of 'all'. Note that the names of the interfaces may be different in each case.