https://live.paloaltonetworks.com/t5/general-topics/avaya-ports-blocking/m-p/1249550#M126105 <P>Hello,</P> <P>&nbsp;</P> <DIV class="x_elementToProof" data-olk-copy-source="MessageBody">We recently installed<SPAN>&nbsp;</SPAN><STRONG>Avaya UCS</STRONG>&nbsp;and are currently using the<SPAN>&nbsp;</SPAN><STRONG>Avaya Workplace</STRONG>&nbsp;application. For this setup, we configured the required security rules on our<SPAN>&nbsp;</SPAN><STRONG>Palo Alto Networks PA-440 firewall</STRONG>. However, we are experiencing an issue when applying specific ports in the security policy.</DIV> <DIV class="x_elementToProof">We tested the following scenarios:</DIV> <OL start="1" data-start="409" data-end="1247"> <LI> <DIV class="x_elementToProof" role="presentation"><STRONG>Security Rule Configuration</STRONG></DIV> </LI> <UL data-start="449" data-end="688"> <LI> <DIV class="x_elementToProof" role="presentation">When the rule is configured with<SPAN>&nbsp;</SPAN><STRONG>Application: application-default</STRONG>&nbsp;and<SPAN>&nbsp;</SPAN><STRONG>Service: Any</STRONG>, the<SPAN>&nbsp;</SPAN><STRONG>Avaya Workplace</STRONG>&nbsp;application works correctly.</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">However, when we specify ports in the service section, the application stops working.</DIV> </LI> </UL> <LI> <DIV class="x_elementToProof" role="presentation"><STRONG>Application-Based Rule</STRONG><BR />We selected the following applications:</DIV> <DIV class="x_elementToProof" role="presentation">Despite this, the application still does not work.</DIV> </LI> <UL data-start="768" data-end="891"> <LI> <DIV class="x_elementToProof" role="presentation">avaya-phone-ring</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">avaya-webalive</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">avaya-weblive-voice</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">rtmp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">sip</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">ssl</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">web-browsing</DIV> </LI> </UL> <LI> <DIV class="x_elementToProof" role="presentation"><STRONG>Service-Based Rule</STRONG><BR />We also tried allowing the following ports/services:</DIV> <DIV class="x_elementToProof" role="presentation">Even with these ports allowed, the application is still not functioning.</DIV> </LI> <UL data-start="1035" data-end="1170"> <LI> <DIV class="x_elementToProof" role="presentation">5060/tcp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">5060/udp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">5061/tcp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">16384–32767/tcp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">16384–32767/udp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">3389/tcp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">80/tcp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">443/tcp</DIV> </LI> </UL> </OL> <DIV class="x_elementToProof">Could you please advise on the correct<SPAN>&nbsp;</SPAN><STRONG>application and port requirements</STRONG>&nbsp;for the Avaya Workplace application.</DIV> <P>&nbsp;</P> <P>Thanks</P> <P>Satheesh</P> Thu, 05 Mar 2026 16:03:12 GMT SatheeshAnirudhan 2026-03-05T16:03:12Z https://live.paloaltonetworks.com/t5/general-topics/avaya-ports-blocking/m-p/1249550#M126105 <P>Hello,</P> <P>&nbsp;</P> <DIV class="x_elementToProof" data-olk-copy-source="MessageBody">We recently installed<SPAN>&nbsp;</SPAN><STRONG>Avaya UCS</STRONG>&nbsp;and are currently using the<SPAN>&nbsp;</SPAN><STRONG>Avaya Workplace</STRONG>&nbsp;application. For this setup, we configured the required security rules on our<SPAN>&nbsp;</SPAN><STRONG>Palo Alto Networks PA-440 firewall</STRONG>. However, we are experiencing an issue when applying specific ports in the security policy.</DIV> <DIV class="x_elementToProof">We tested the following scenarios:</DIV> <OL start="1" data-start="409" data-end="1247"> <LI> <DIV class="x_elementToProof" role="presentation"><STRONG>Security Rule Configuration</STRONG></DIV> </LI> <UL data-start="449" data-end="688"> <LI> <DIV class="x_elementToProof" role="presentation">When the rule is configured with<SPAN>&nbsp;</SPAN><STRONG>Application: application-default</STRONG>&nbsp;and<SPAN>&nbsp;</SPAN><STRONG>Service: Any</STRONG>, the<SPAN>&nbsp;</SPAN><STRONG>Avaya Workplace</STRONG>&nbsp;application works correctly.</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">However, when we specify ports in the service section, the application stops working.</DIV> </LI> </UL> <LI> <DIV class="x_elementToProof" role="presentation"><STRONG>Application-Based Rule</STRONG><BR />We selected the following applications:</DIV> <DIV class="x_elementToProof" role="presentation">Despite this, the application still does not work.</DIV> </LI> <UL data-start="768" data-end="891"> <LI> <DIV class="x_elementToProof" role="presentation">avaya-phone-ring</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">avaya-webalive</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">avaya-weblive-voice</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">rtmp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">sip</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">ssl</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">web-browsing</DIV> </LI> </UL> <LI> <DIV class="x_elementToProof" role="presentation"><STRONG>Service-Based Rule</STRONG><BR />We also tried allowing the following ports/services:</DIV> <DIV class="x_elementToProof" role="presentation">Even with these ports allowed, the application is still not functioning.</DIV> </LI> <UL data-start="1035" data-end="1170"> <LI> <DIV class="x_elementToProof" role="presentation">5060/tcp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">5060/udp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">5061/tcp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">16384–32767/tcp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">16384–32767/udp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">3389/tcp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">80/tcp</DIV> </LI> <LI> <DIV class="x_elementToProof" role="presentation">443/tcp</DIV> </LI> </UL> </OL> <DIV class="x_elementToProof">Could you please advise on the correct<SPAN>&nbsp;</SPAN><STRONG>application and port requirements</STRONG>&nbsp;for the Avaya Workplace application.</DIV> <P>&nbsp;</P> <P>Thanks</P> <P>Satheesh</P> Thu, 05 Mar 2026 16:03:12 GMT https://live.paloaltonetworks.com/t5/general-topics/avaya-ports-blocking/m-p/1249550#M126105 SatheeshAnirudhan 2026-03-05T16:03:12Z https://live.paloaltonetworks.com/t5/general-topics/avaya-ports-blocking/m-p/1249553#M126107 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/230423">@SatheeshAnirudhan</a>&nbsp;,</P> <P>&nbsp;</P> <P>Kudos to you for trying L7 rules!&nbsp; That is the best practice.&nbsp; As you have found, this can be very challenging.&nbsp; The process that has worked very well for me is as follows:</P> <P>&nbsp;</P> <OL> <LI>Create an application-based rule with application-default as the service.&nbsp; This rule is your rule #2.</LI> <LI>Create an application-based rule with specific ports as the service because you cannot combine application-default and specific ports in the same rule.&nbsp; This rule is used for applications that use non-standard ports.</LI> <LI>Create a catch-all rule to find anything that I missed.&nbsp; This rule is your rule #1.</LI> </OL> <P>I put these 3 rules in order in the security policy.&nbsp; The catch-all rule is used to identify the traffic that doesn't match the 1st 2 rules.&nbsp; You can (1) mouse over the catch-all rule and use Log Viewer or you can use (2) Apps Seen column hyperlink to the Policy Optimizer to determine which traffic is not hitting the 1st 2 rules.&nbsp; You modify rule 1 or 2 to include the new apps.&nbsp; Repeat the process until you do not have any more hits on rule 3.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 05 Mar 2026 17:21:55 GMT https://live.paloaltonetworks.com/t5/general-topics/avaya-ports-blocking/m-p/1249553#M126107 TomYoung 2026-03-05T17:21:55Z