topic Re: Skype and PBF in General Topics

Skype and PBF

gafrol — Fri, 20 Apr 2012 13:06:34 GMT

Hi all,

We have two ISP's connected to our PA FW (4.1.5). ISP A (e1/5) is the default for all outbound internet traffic. ISP B (e1/7) is the backup link. Now we would like to use the backup link for all skype related traffic. Until now I did not have success.

I have created the follwoing PBF rule:

But skype still gets forwarded to ISP A. Is there anything missing ?

TNX Roland

Re: Skype and PBF

sebastian — Fri, 20 Apr 2012 13:37:52 GMT

Hi Roland,

is the PBF working correctly at all with the 4.1.5 in your setup?

I'm asking because we are running the 4.1.5 too.

And we have the "funny" issue that the traffic is routed to both interfaces to the pbf created gateway and the default gw.

This leads to very slow connections and of course connections with to different public IP-addresses. (the ip via pbf = tcp_established and the via default gw = tcp_syn)

We already opened a case but PAN will not look at our system until Monday.

But I believe it's a bug in 4.1.5

Maybe you can check that?

Sebastian

Re: Skype and PBF

gafrol — Fri, 20 Apr 2012 14:42:31 GMT

Hi Sebastian,

good point. I have gone through some further testing. I tried the same for app web-browsing and it worked at least a sort of...

this is my PBF rule for web-browsing

And this is what I see in the traffic log for web-traffic

As you see not all the web-browsing traffic is leaving the correct interface according the PBF rule....

This is confusing me even more. I tried to use the easiest case with the app web-browsing, it has no dependencies and schould be fairly easy to identify from an APP-ID perspective.

Maybe indeed a bug ? Who knows ?

Roland

Re: Skype and PBF

mikand — Fri, 20 Apr 2012 21:36:07 GMT

If I have understood previous info regarding PBF correctly using application for PBF is not recommended by the manual.

That is because the initial syn/synack/ack will go out through whatever your VROUTER tells it to use (your regular defgw, lets say ISP-A).

Not until the flow is recognized as web-browsing (or whatever) it will use ISP-B as nexthop.

The problem here comes if you use SNAT at the same time.

This means that the webserver first receives a syn/synack/ack from ISP-A ip and then suddently regular packets through ISP-B.

This will of course (in most cases) fail at the server side since the stuff from ISP-B didnt handshake properly.

Re: Skype and PBF

zarina — Fri, 20 Apr 2012 21:54:33 GMT

Hello,

Here is a snippet from the admin guide on using apps with PBF:

"The initial session on a given destination IP address and port that is associated with an application will not match an application-specific rule and will be forwarded according to subsequentPBF rules (that do not specify an application) or the virtual router’s forwarding table. Allsubsequent sessions on that destination IP address and port for the same application willmatch an application-specific rule. To ensure forwarding through PBF rules, application specific rules are not recommended."

which means the PBF rule will not match 100% of the time. PBF routing is determined by the first packet and most of the apps we have are not identified with the first packet which implies this will take the normal routing route. After the app is identified, the subsequent sessions of the same app with same src and destn will match the PBF rule. Again, it is not recommended to use apps with PBF.

Thanks,

Sri

Re: Skype and PBF

gafrol — Sat, 21 Apr 2012 09:33:23 GMT

Okay since it is not recommended to use apps in PBF and not working reliably why is it a configurable option ?

Other than creating FUD and support calls I don't see any benefit ....

Roland

Re: Skype and PBF

mikand — Sun, 22 Apr 2012 01:30:12 GMT

I was about to ask the same question...

Reasons I can see:

1) Efficient way to find out who is actually reading the manual(s) and who doesnt? 😉

2) For non-NAT situations (for example if you have Internetrouter <-> PA <-> ISP) you can use the PA device to let specific application traffic use a dedicated interface either for performance reasons or for capture reasons (send a specific application through a dedicated interface where you have a switch with span enabled to record the application(s) you are interrested of).

The performance reason could also have to do with QoS - its easier for your router to statically prioritze incoming traffic at a specific interface instead of having the router try to find out what is youtube (as example) and what isnt. This way your internetrouter could (for example) put youtube traffic on a lower QoS priority where the PA is the device to identify what should go for int 0/1 and what should go out at int 0/2 (without having to enable QoS in PA).

I think it would be bad if this option is removed, however it should possibly be a better warning in the GUI that "are you really sure you know what you are doing? see section x.x in admin gui for more info why we bugger you with this red text" or something shorter...