topic Re: Question regarding Signal messaging application in General Topics

Question regarding Signal messaging application

shoot0267 — Thu, 17 Apr 2025 14:52:55 GMT

Currently have a PA-440 at home and trying to setup Signal messaging application. I know the application is cert-pinned and therefore cannot be decrypted. To get it to work, I added to the SSL Exclusion Decryption list the following hosts/domains per the Signal website:

https://support.signal.org/hc/en-us/articles/360007320291-Firewall-and-Internet-settings

*.signal.org

signal.art

signal.group

signal.link

signal.me

signal.tube

Text messaging and calling works, but the only application I’m seeing in the logs are SSL/443. I don’t see signal-base or signal-file-transfer applications in the logs.

When I make a call from my iphone, I see in the logs UDP/dynamic ports are getting dropped. Some of random dynamic UDP ports are identified as STUN traffic, and others are “not applicable”. I thought this traffic was supposed to be covered with the signal-base application.

In my security policy, signal-base, signal-file-transfer and SSL are included in my overall trusted outbound rule. I do have STUN application added too but all are set to application-default.

Is this normal behavior for the signal application?

Re: Question regarding Signal messaging application

OtakarKlier — Tue, 22 Apr 2025 16:26:05 GMT

Hello,

What you are seeing is correct. Since the decryption is not happening, the PAN cannot determine the proper application, hence just ssl/443.

Regards,

Re: Question regarding Signal messaging application

Brandon_Wertz — Tue, 22 Apr 2025 18:07:16 GMT

@OtakarKlier wrote:

Hello,

What you are seeing is correct. Since the decryption is not happening, the PAN cannot determine the proper application, hence just ssl/443.

Regards,

I would agree, but then why would Palo have APP-IDs for signal other than the base if decryption is needed, yet decryption for signal isn't a viable option?

Re: Question regarding Signal messaging application

shoot0267 — Tue, 22 Apr 2025 18:07:35 GMT

Thanks for the feedback. I didn't understand why I was seeing the UDP/dynamic traffic drops when making a phone call. The call does go through, but I was surprised to the this traffic in the logs. If I'm just sending text only, the logs are showing the SSL/443 traffic which makes sense.

Re: Question regarding Signal messaging application

Brandon_Wertz — Tue, 22 Apr 2025 18:25:25 GMT

@shoot0267 -- You shouldn't need decryption for things like "base" apps to show up. Even undecrypted traffic the SNI is seen, and "signal-base" should be showing up in traffic logs. There's probably an issue with legit signal traffic not matching the app-id correctly, it's probably best to open a support case so the app-id matches.

Re: Question regarding Signal messaging application

shoot0267 — Tue, 22 Apr 2025 18:48:05 GMT

Yeah, I'm not decrypting any of the Signal traffic. About a month ago, I did see in my logs app-id "signal-file-transfer" but never saw "signal-base". Now, I'm only seeing SSL/443 for chat messages. I guess the Signal application on the iphone may have changed.