https://live.paloaltonetworks.com/t5/general-topics/allowing-some-protocols-from-any-user-port/m-p/36985#M27148 <HTML><HEAD></HEAD><BODY><P>I am curious what others are doing for some protocols:&nbsp; Examples:&nbsp; DNS, ocsp, STUN, meraki, apple push notification, etc.&nbsp; It seems to me that these sorts of things could be let go for pretty much all users, anytime and be excluded from the captive portal.&nbsp; Correct?</P><P></P><P>I have a couple fo reasons for this question:</P><P></P><P>1.&nbsp; I am having issues with Facetime which I believe is occurring because device is trying to talk to the apple servers before the user has yet to authenticate to the captive portal.</P><P>2.&nbsp; STUN is trying to get out on some ports which are "nonstandard".&nbsp; It seems that I could let STUN go on any port.</P><P></P><P>Thoughts?</P><P>Bob</P></BODY></HTML> Tue, 22 Jan 2013 17:20:40 GMT BobW 2013-01-22T17:20:40Z https://live.paloaltonetworks.com/t5/general-topics/allowing-some-protocols-from-any-user-port/m-p/36985#M27148 <HTML><HEAD></HEAD><BODY><P>I am curious what others are doing for some protocols:&nbsp; Examples:&nbsp; DNS, ocsp, STUN, meraki, apple push notification, etc.&nbsp; It seems to me that these sorts of things could be let go for pretty much all users, anytime and be excluded from the captive portal.&nbsp; Correct?</P><P></P><P>I have a couple fo reasons for this question:</P><P></P><P>1.&nbsp; I am having issues with Facetime which I believe is occurring because device is trying to talk to the apple servers before the user has yet to authenticate to the captive portal.</P><P>2.&nbsp; STUN is trying to get out on some ports which are "nonstandard".&nbsp; It seems that I could let STUN go on any port.</P><P></P><P>Thoughts?</P><P>Bob</P></BODY></HTML> Tue, 22 Jan 2013 17:20:40 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-some-protocols-from-any-user-port/m-p/36985#M27148 BobW 2013-01-22T17:20:40Z https://live.paloaltonetworks.com/t5/general-topics/allowing-some-protocols-from-any-user-port/m-p/36986#M27149 <HTML><HEAD></HEAD><BODY><P>Hi Bob, </P><P>If you are having issue with facetime then you can allow that as an applicaiton instead of using the ports. You can configure the Palo Alto firewall to either allow the traffic based on ports or applications. If it is allowed based on application then it checks the traffic and even if it is on non-standard ports it allows it.</P><P>If you allow it as an application then firewall will check the traffic and make sure which ever session belongs to facetime is allowed .</P><P></P><P>Here is the application details on face time from the firewall</P><P></P><P><LABEL class="x-form-item-label" for="ext-comp-1360" id="ext-gen1071" style="text-align: left; padding-top: 3px; padding-right: 3px; padding-bottom: 3px;"><STRONG>Name:&nbsp; </STRONG></LABEL></P><DIV class=" x-form-display-field" id="ext-comp-1360" style="padding-top: 4px;">facetime<P></P></DIV><P class="x-form-item " id="ext-gen1072" style="margin-bottom: 4px; font-family: tahoma, helvetica, arial, sans-serif; font-size: 11px; color: #222222; text-align: -webkit-auto; background-color: #ebedee;"><LABEL class="x-form-item-label" for="ext-comp-1361" id="ext-gen1073" style="text-align: left; padding-top: 3px; padding-right: 3px; padding-bottom: 3px;"><STRONG>Description:&nbsp; </STRONG></LABEL></P><DIV class="x-form-element" id="x-form-el-ext-comp-1361" style="padding-left: 185px; font-family: Tahoma, Arial, Helvetica, sans-serif;"><DIV class=" x-form-display-field" id="ext-comp-1361" style="padding-top: 4px;">FaceTime is a video calling software feature for iPhone 4's phone application, developed by Apple. It is based on numerous open standards: H.264 and AAC - video and audio codecs; SIP - IETF signaling protocol for VoIP; STUN, TURN, and ICE - IETF technologies for traversing firewalls and NAT; RTP and SRTP - IETF standards for delivering real-time and encrypted media streams for VoIP.<P></P></DIV></DIV><P class="x-form-item " id="ext-gen1074" style="margin-bottom: 4px; font-family: tahoma, helvetica, arial, sans-serif; font-size: 11px; color: #222222; text-align: -webkit-auto; background-color: #ebedee;"><LABEL class="x-form-item-label" for="ext-comp-1362" id="ext-gen1075" style="text-align: left; padding-top: 3px; padding-right: 3px; padding-bottom: 3px;"><STRONG>Additional Information:&nbsp; </STRONG></LABEL></P><DIV class="x-form-element" id="x-form-el-ext-comp-1362" style="padding-left: 185px; font-family: Tahoma, Arial, Helvetica, sans-serif;"><DIV class=" x-form-display-field" id="ext-comp-1362" style="padding-top: 4px;"><A href="http://www.apple.com/iphone/features/facetime.html" style="color: #5396b8;" target="_blank">FaceTime</A>&nbsp; <A href="http://en.wikipedia.org/wiki/FaceTime" style="color: #5396b8;" target="_blank">Wikipedia</A>&nbsp; <A href="http://www.google.com/search?q=facetime" style="color: #5396b8;" target="_blank">Google</A>&nbsp; <A href="http://search.yahoo.com/search?q=facetime" style="color: #5396b8;" target="_blank">Yahoo!</A><P></P></DIV></DIV><P class="x-form-item " id="ext-gen1076" style="margin-bottom: 4px; font-family: tahoma, helvetica, arial, sans-serif; font-size: 11px; color: #222222; text-align: -webkit-auto; background-color: #ebedee;"><LABEL class="x-form-item-label" for="ext-comp-1363" id="ext-gen1077" style="text-align: left; padding-top: 3px; padding-right: 3px; padding-bottom: 3px;"><STRONG>Standard Ports:&nbsp; </STRONG></LABEL></P><DIV class="x-form-element" id="x-form-el-ext-comp-1363" style="padding-left: 185px; font-family: Tahoma, Arial, Helvetica, sans-serif;"><DIV class=" x-form-display-field" id="ext-comp-1363" style="padding-top: 4px;">tcp/80,443,3478-3497,4080,5223, udp/3478,16384-16387,16393-16402<P></P></DIV></DIV><P class="x-form-item " id="ext-gen1078" style="margin-bottom: 4px; font-family: tahoma, helvetica, arial, sans-serif; font-size: 11px; color: #222222; text-align: -webkit-auto; background-color: #ebedee;"><LABEL class="x-form-item-label" for="ext-comp-1364" id="ext-gen1079" style="text-align: left; padding-top: 3px; padding-right: 3px; padding-bottom: 3px;"><STRONG>Depends on Applications:&nbsp; </STRONG></LABEL></P><DIV class="x-form-element" id="x-form-el-ext-comp-1364" style="padding-left: 185px; font-family: Tahoma, Arial, Helvetica, sans-serif;"><DIV class=" x-form-display-field" id="ext-comp-1364" style="padding-top: 4px;">ichat-av, sip, ssl, stun, web-browsing<P></P></DIV></DIV><P></P><P>Another thing to notice here is that facetime has dependent application as well. So if you block those applications before the rule of face time then you might not be able to get the facetime going.</P><P></P><P>Hopefully this helps.</P><P></P><P>Thank you</P><P>Numan</P></BODY></HTML> Tue, 22 Jan 2013 23:46:22 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-some-protocols-from-any-user-port/m-p/36986#M27149 mbutt 2013-01-22T23:46:22Z https://live.paloaltonetworks.com/t5/general-topics/allowing-some-protocols-from-any-user-port/m-p/36987#M27150 <HTML><HEAD></HEAD><BODY><P>The facetime problem is a bit tricky as I believe it has something to do with traffic going out pre captive portal.</P><P></P><P>Thank you for your reply.&nbsp; I have enabled the dependencies.&nbsp; I have a rule at the bottom of my ruleset which blocks all protocols that get that far.&nbsp; For STUN in particular I am seeing a lot of traffic to ports other than the default of 3478 which are being blocked by my bottom most rule.&nbsp; So this goes back to part of the question.&nbsp; Would it be beneficial (or detrimental) to have a rule that allows STUN to go out on any port or just stick with the default of 3478?&nbsp; Right now I have a rule that lets STUN out for "application default" only, thus udp 3478.</P><P></P><P>Thanks,</P><P>Bob</P></BODY></HTML> Wed, 23 Jan 2013 00:59:22 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-some-protocols-from-any-user-port/m-p/36987#M27150 BobW 2013-01-23T00:59:22Z