https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/113554#M45226 <P>Good morning, have you found the correct destination dns name (skype sistes) that must be trusted for allowing Skype the connection?</P> Thu, 15 Sep 2016 10:28:17 GMT IT-DLNetworkSecurity 2016-09-15T10:28:17Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/44845#M32925 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am trying to configure a rule on the PA2050 to allow SKYPE out of the network, and I am seeing a bit of a security hole in the app rule.</P><P></P><P>I have set it up using the document:</P><P></P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1505/controllingskype.pdf">https://live.paloaltonetworks.com/docs/DOC-1505/controllingskype.pdf</A></P><P></P><P>I have:</P><P></P><P>From Zone: Trust</P><P>to Zone: Untrust</P><P>Address: &amp;lt;My Workstation&amp;gt;</P><P>Application: SKYPE, SKYPE-PROBE, UNKNOWN-UDP</P><P>Service: Application Default</P><P></P><P>If I do a telnet to an IP address on the internet on a random port, it gets through OK using this rule, in the logs I see:</P><P></P><P>From &amp;lt;My Workstation&amp;gt;, to &amp;lt;Internet Address&amp;gt;, &amp;lt;Port Numbers&amp;gt;, Application Incomplete, action ALLOW, Rule &amp;lt;Skype Allow Rule&amp;gt;</P><P></P><P>At the other end I can see the TCP connection establish correctly.</P><P></P><P>The firewall should be blocking the traffic, as the traffic is NOT skype traffic, but it seems using SKYPE as the application ID it will allow any other unwanted traffic out.</P><P></P><P>Have I done something wrong in setting up the rule, or is this a bug?</P><P></P><P>Thanks</P></BODY></HTML> Sun, 08 Dec 2013 21:05:35 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/44845#M32925 jenkinsp 2013-12-08T21:05:35Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/44846#M32926 <HTML><HEAD></HEAD><BODY><P>jenkinsp,</P><P></P><P>Your rule appears to be configured correctly and the firewall is also acting as it should.</P><P></P><P>The PAN firewall will allow sessions to be created based on the 6-tuple key (source_address, destination_address, source_port, destination_port, protocol &amp; security_zone) so that enough data (Layer7) packets can flow through, in order for the application engine to identify the application.</P><P></P><P>Once the app engine identifies your traffic as SKYPE or otherwise, then the firewall makes the decision to allow or deny the rest of the traffic based on the identified application.</P><P></P><P>For your test, when you telnet to the external IP and port, the firewall would first create a session with the application as 'undecided', which is enough to allow the SYN, SYN/ACK, ACK through, and that is why you see a successfully formed TCP session.</P><P>As soon as you try to pass other traffic in this telnet session, however, the app engine will detect the correct application and the firewall either permits or denies it based on the rest of your configured security rules.</P><P></P><P>You can use the CLI command 'show session all filter destination &lt;dest_IP_address&gt; destination-port &lt;port_#&gt;' to confirm how the firewall identifies the application of your (telnet) traffic.</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P>tasonibare</P></BODY></HTML> Mon, 09 Dec 2013 06:54:49 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/44846#M32926 tasonibare 2013-12-09T06:54:49Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/99403#M44179 <P><A href="https://live.paloaltonetworks.com/t5/General-Topics/Problems-with-Skype-rule-letting-traffic-through/m-p/44845#M32925" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/Problems-with-Skype-rule-letting-traffic-through/m-p/44845#M32925</A></P> Fri, 22 Jul 2016 08:35:33 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/99403#M44179 Sheena 2016-07-22T08:35:33Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/99404#M44180 <P>Good article here:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/Security-Rule-Behavior-with-Applications-Allowed-with-Service/ta-p/52102" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/Security-Rule-Behavior-with-Applications-Allowed-with-Service/ta-p/52102</A></P> Fri, 22 Jul 2016 08:45:19 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/99404#M44180 TranceforLife 2016-07-22T08:45:19Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/113554#M45226 <P>Good morning, have you found the correct destination dns name (skype sistes) that must be trusted for allowing Skype the connection?</P> Thu, 15 Sep 2016 10:28:17 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-skype-rule-letting-traffic-through/m-p/113554#M45226 IT-DLNetworkSecurity 2016-09-15T10:28:17Z