https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25937#M18915 <HTML><HEAD></HEAD><BODY><P>ALG? Dont you mean Appid?</P></BODY></HTML> Thu, 19 Jan 2012 16:12:59 GMT mikand 2012-01-19T16:12:59Z https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25936#M18914 <HTML><HEAD></HEAD><BODY><P>We're running 4.0.5 and Facetime does not work as the packets coming from Apple's servers via the Internet are dropped. I noticed there was an ALG for H.323 in 4.1 but wasn't sure if that was related to Facetime or if there was anothe work around.</P></BODY></HTML> Thu, 19 Jan 2012 15:35:30 GMT https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25936#M18914 bjdraw 2012-01-19T15:35:30Z https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25937#M18915 <HTML><HEAD></HEAD><BODY><P>ALG? Dont you mean Appid?</P></BODY></HTML> Thu, 19 Jan 2012 16:12:59 GMT https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25937#M18915 mikand 2012-01-19T16:12:59Z https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25938#M18916 <HTML><HEAD></HEAD><BODY><P>There has been an App-ID for facetime for some time and it works fine with NAT.&nbsp; Facetime uses STUN to deal with NAT so it should be seamless anyway.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Fri, 20 Jan 2012 06:45:08 GMT https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25938#M18916 kbrazil 2012-01-20T06:45:08Z https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25939#M18917 <HTML><HEAD></HEAD><BODY><P><SPAN>There still is according to: </SPAN><A class="jive-link-external-small" href="http://apps.paloaltonetworks.com/applipedia//">http://apps.paloaltonetworks.com/applipedia//</A></P><P></P><P>It looks like it depends on "ichat-av, sip, ssl, stun" which means that you need to allow those aswell (I think you will get an error or warning otherwise if you try to commit with not all dependencies set).</P></BODY></HTML> Fri, 20 Jan 2012 20:00:02 GMT https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25939#M18917 mikand 2012-01-20T20:00:02Z https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25940#M18918 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>mikand wrote:</P><P></P><P>ALG? Dont you mean Appid?</P></PRE><P></P><P>I mean an Application Layer Gateway which isn't exactly equal to an App-ID, is it?</P><P></P><P><A class="active_link" href="http://www.paloaltonetworks.com/researchcenter/2010/08/whats-appening-with-apple-facetime/">http://www.paloaltonetworks.com/researchcenter/2010/08/whats-appening-with-apple-facetime/</A></P><P></P><P>I did see the PAN AppID for Facetime, was just trying to determine if allowing it was as simple as a rule allowing that application from the Internet to my LAN, or perhaps the other way around since the traffic is actually initiated from my LAN.</P></BODY></HTML> Mon, 23 Jan 2012 13:55:43 GMT https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25940#M18918 bjdraw 2012-01-23T13:55:43Z https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25941#M18919 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>kbrazil wrote:</P><P></P><P>There has been an App-ID for facetime for some time and it works fine with NAT.&nbsp; Facetime uses STUN to deal with NAT so it should be seamless anyway.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></PRE><P></P><P>I created a policy from zone Internet to zone Internet from Any IP to my Dynamic NAT IP which allows "facetime, aim-base, web-browsing, ssl, stun, sip, ichat-av" and tested unsuccesfully. The outbond traffic is correctly identified, but the traffic comging back from Apple's servers is allowed, but identified as "insufficient-data."</P><P></P><P>I assume allowing the AppID alone isn't enough to make it work with a Dynamic NAT? (We're NAT'ing all our clients out the same public IP)</P></BODY></HTML> Mon, 23 Jan 2012 15:31:34 GMT https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25941#M18919 bjdraw 2012-01-23T15:31:34Z https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25942#M18920 <HTML><HEAD></HEAD><BODY><P>Scratch this entire thread, NO inbound rules are required to make Facetime work on the PAN firewall.</P><P></P><P>The reason mine wasn't working out of the box was becaue I had an explicit deny for SIP traffic destined from my network to the Internet. And since the Facetime AppID is dependant on SIP, it failed without logging. Interestingly with the rule disalbed, Facetime is working but sip traffic is still not logged. </P></BODY></HTML> Mon, 23 Jan 2012 17:09:32 GMT https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25942#M18920 bjdraw 2012-01-23T17:09:32Z https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25943#M18921 <HTML><HEAD></HEAD><BODY><P>Didnt you get any warning during commit that you had colliding rules?</P><P></P><P>And which PANOS is it you were using?</P></BODY></HTML> Mon, 23 Jan 2012 19:41:17 GMT https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25943#M18921 mikand 2012-01-23T19:41:17Z https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25944#M18922 <HTML><HEAD></HEAD><BODY><P>I was running 4.0.8 (can't remember the exact 4.0 release) and I didn't get a warrning because my policy for traffic destined for the internet from the LAN was 'any' and I just added exclusions to block SIP and SMTP. If I had put an explicit rule allowing Facetime from the LAN to the Internet then I would've gotten an error.</P></BODY></HTML> Wed, 25 Jan 2012 13:22:13 GMT https://live.paloaltonetworks.com/t5/general-topics/alg-for-facetime-via-nat/m-p/25944#M18922 bjdraw 2012-01-25T13:22:13Z