topic Re: how to block skype for 'trust' zone and allow for 'trust2' zone in General Topics

how to block skype for 'trust' zone and allow for 'trust2' zone

mariusz_sawczuk — Wed, 06 Feb 2013 14:11:43 GMT

Hi,

I'm trying to block skype for one group of users (whitch are in 'l3-trust' security zone) and allow for second group (which are in 'l3-trust2' security zone).

Both zones: 'l3-trust' and 'l3-trust2' are source-NATed to 'l3-untrust' zone, one interface, one IP address.

I made policy rule allowing skype-probe from 'any' zone to 'any' zone and second policy which blocked skype from 'l3-trust' zone to 'l3-untrust'.

Unfortunately all users (from both trusted security zones) have access to skype.

Even, when I modify second rule and add also 'l3-trust2' to blocked zone for skype, skype is working for everyone.

I suspect some network misconfiguration, so I attach configuration screens.

Please help!

Re: how to block skype for 'trust' zone and allow for 'trust2' zone

sdurga — Wed, 06 Feb 2013 17:50:03 GMT

The configuration looks OK. Can you please run the following commands. R u trying to test this with SKYPE Test call ? because Skype test call works even you block skype .

Try to make a skype call ( not the test call ) to one of the contacts from l3-trust zone and now look at the sessions information you do this via " show session info"

. Now from the sessions look wether the l3-trust users are hitting the correct security rule or not. Also in the sessions, look for what is the application. You should not see any thing other than Skype-probe or Skype. If application and the security rules are correct I do not see any reason for this to fail.

Tx,
Sandeep T

Re: how to block skype for 'trust' zone and allow for 'trust2' zone

mariusz_sawczuk — Wed, 06 Feb 2013 23:41:37 GMT

Hi,

Voice calls are blocked, but chat is still possible. Wold be much more efficient just to completly block user login to skype. Is it possible in general, and if not how to disable chating in skype?

Re: how to block skype for 'trust' zone and allow for 'trust2' zone

SCoupland — Thu, 07 Feb 2013 21:53:32 GMT

What does the traffic log show? Is everything showing up as Skype-base? Are you using a merged Skype/Live messenger account to test? The Skype program will use both the Live Messenger application and Skype-base application for chat if it is a merged account.

Re: how to block skype for 'trust' zone and allow for 'trust2' zone

mariusz_sawczuk — Wed, 13 Feb 2013 01:34:06 GMT

In report of 'show session all' I see that PAN recognize skype (even skype IM) as a 'skype' application and there is also skype-probe of course.

But I didn;t told you about important thing, and I'm wondering now that is so matter in my case?

All my tests I'm doing on my laptop where I have Windows 7 installed, and it hosts virtual enviroment (VMWare Workstation) in whch I have virtual PAN and virtual Windows XP machine installed.

All traffic from virtual Windows XP is going through virtual PAN (secured, NATed and routed by virtual PAN), after that NATed to my physical interface (by VMware network mechanism) and after that routed to Internet..From the virtual Windows XP perspective, my Windows 7 host OS (and let say Internet) is in untrust zone.

I'm wondering now that could cause some impact for skype?

I observe that when I completelty block every traffic/applicaiton on virtual PAN, and when I launch Skype on virtual Windows XP it doesn't work. But when I'm launch Skype on my Windows 7 host OS and restart Skype on virtual Windows XP it's start wokring and I can do call from Windows XP to Windows7.

Well, as I mentioned both machines are zone based secured, but to be honest they have 'shared' network interfaces.

Virtual Palo Alto has 3 interfaces:

- untrust which is VMnet8 (NATed by VMWare interface)

- trust which is VMnet1 (host-only, isolated interface)

- trust2 which is VMnet2 (host-only, isolated interrface)

Virutal Windows XP has only one interface which is in trust zone and it is VMNet1 interface.

Host OS - Windows 7 of course sees alle above interfaces: VMnet8, VMnet1 and VMnet2, becuase it runs VMWare Workstaiton, which creates all this interfeaces.

So maybe skype could use it in some magic way nad this cause me problem?

If yes how to fix it and block skype?