topic Re: How do I allow udp port 33001? in General Topics

How do I allow udp port 33001?

robert_smith — Tue, 10 Apr 2012 03:10:35 GMT

Hello All,

I have encountered an issue where a downloaded client installed on Internet Explorer called Aspera client for downloading video content experienced an error.It states to check the UDP port and firewall based on code 15.

Since this is application based (HTTP), where is the most effective place to allow and create the rule for the client to download?

Do I create a "security" rule or create a "application overide"?

I want to be able to allow a source zone or ip (trusted) to allow traffic connections to an ip (untrusted zone) on port udp 33001.

Any insights?

BTW, this site is http://asperasoft.com/en/support/troubleshooting_3/2_Connect_Timeout_4 is where the support is based. I didn't see the application listed either in the PA firewall applications listing either.

Re: How do I allow udp port 33001?

akhan — Tue, 10 Apr 2012 04:25:34 GMT

Hi Robert,

From the description of the error message, it seems that the control connection over TCP is established, but the data connection, using UDP 33001 cannot be established. To resolve this, you first need to create a service under Objects -> Services. Create a service called "Aspera" for protocol UDP and destination port 33001 (do not define a source port as it will probably be random).

Then create a security rule under Policies -> Security like the following:

Source Zone: Trusted

Source Address: Define private source addresses you wish to allow through the firewall or set to "any" to allow everyone.

Destination: Untrusted

Destination Address: Any, or a specific Aspera IP address(s) if known.

Application: any

Service: Aspera

Action: Allow

This rule should be placed above your deny rules.

Thanks,

Ahsan

Re: How do I allow udp port 33001?

robert_smith — Tue, 10 Apr 2012 18:22:15 GMT

Thank you for answering my question....

I've added both objects-- services and polcies--security rule to the FW, however after committing the changes and testing, it still doesn't seem to allow download of the video content. It just states "connecting" but no go.

I've included a snapshot of the event of what occurs when using Aspera webclient and the rules added.

Perhaps I've missed something?

Re: How do I allow udp port 33001?

akhan — Tue, 10 Apr 2012 23:38:57 GMT

Hi Robert,

You configurations look fine. You might want to configure a clean-up (src zone: trust, dst zone: untrust, action deny) rule at the bottom of your security policies in order to determine what traffic is being blocked by PAN. You can then filter the traffic logs based on your Source IP address to check if anything is being blocked. I would also suggest checking your URL filtering logs and threat logs to make sure nothing is being denied there.

Thanks,

Ahsan

Re: How do I allow udp port 33001?

robert_smith — Thu, 12 Apr 2012 02:02:00 GMT

Thanks for answering but what is a cleanup and how do I do this particular rule you mentioned?

Can you provide steps?

Re: How do I allow udp port 33001?

akhan — Thu, 12 Apr 2012 02:14:35 GMT

Hi Robert,

By default, PAN will only generate logs for traffic that matches a defined security policy. If traffic from one zone to another is not explicity allowed by a security policy, it is blocked by an implicit deny policy (not visible in security policies) and these denys will not be logged in the traffic logs. For troubleshooting purposes, we can setup a cleanup rule to log traffic that would be implicitly denied.

The cleanup rule would look like:

Source Zone: Trusted

Source Address: any

Destination: Untrusted

Destination Address: any

Application: any

Service: any

Action: Deny

Make sure that the cleanup rule is at the bottom of your security policies. Security policies are read from Top to Bottom.

- Once changes have been committed, you can check the traffic logs under Monitor-> Logs-> Traffic. From there you can click on the source IP address and filter the logs based on it. This would show us if any traffic from the Aspera client is being denied. You can then modify the security policies to allow the traffic being denied.

Thanks,

Ahsan

Re: How do I allow udp port 33001?

mikand — Thu, 12 Apr 2012 07:47:16 GMT

For debug-purposes it can be handy that you set your last cleanup rule to not only log on "session end" but also at "session start" (otherwise you would need to wait for the flow to finish before it shows up in the PAN logs).

Usually session end gives you trafficvolume and application (which session start cannot show) so in case you dont need to know these (since the deny should be on the first bad packet) you can set the cleanup rule to only log on "session start" instead of "session end" (otherwise your log volume will go up if you didnt do this before).

Re: How do I allow udp port 33001?

robert_smith — Thu, 12 Apr 2012 17:04:51 GMT

Thank you for your help in this matter.