ALG for Facetime via NAT?

Reply
Highlighted
Not applicable

ALG for Facetime via NAT?

We're running 4.0.5 and Facetime does not work as the packets coming from Apple's servers via the Internet are dropped. I noticed there was an ALG for H.323 in 4.1 but wasn't sure if that was related to Facetime or if there was anothe work around.

Tags (2)
L6 Presenter

Re: ALG for Facetime via NAT?

ALG? Dont you mean Appid?

L4 Transporter

Re: ALG for Facetime via NAT?

There has been an App-ID for facetime for some time and it works fine with NAT.  Facetime uses STUN to deal with NAT so it should be seamless anyway.

Cheers,

Kelly

L6 Presenter

Re: ALG for Facetime via NAT?

There still is according to: http://apps.paloaltonetworks.com/applipedia//

It looks like it depends on "ichat-av, sip, ssl, stun" which means that you need to allow those aswell (I think you will get an error or warning otherwise if you try to commit with not all dependencies set).

Not applicable

Re: ALG for Facetime via NAT?

mikand wrote:

ALG? Dont you mean Appid?

I mean an Application Layer Gateway which isn't exactly equal to an App-ID, is it?

http://www.paloaltonetworks.com/researchcenter/2010/08/whats-appening-with-apple-facetime/

I did see the PAN AppID for Facetime, was just trying to determine if allowing it was as simple as a rule allowing that application from the Internet to my LAN, or perhaps the other way around since the traffic is actually initiated from my LAN.

Not applicable

Re: ALG for Facetime via NAT?

kbrazil wrote:

There has been an App-ID for facetime for some time and it works fine with NAT.  Facetime uses STUN to deal with NAT so it should be seamless anyway.

Cheers,

Kelly

I created a policy from zone Internet to zone Internet from Any IP to my Dynamic NAT IP which allows "facetime, aim-base, web-browsing, ssl, stun, sip, ichat-av" and tested unsuccesfully. The outbond traffic is correctly identified, but the traffic comging back from Apple's servers is allowed, but identified as "insufficient-data."

I assume allowing the AppID alone isn't enough to make it work with a Dynamic NAT? (We're NAT'ing all our clients out the same public IP)

Not applicable

Re: ALG for Facetime via NAT?

Scratch this entire thread, NO inbound rules are required to make Facetime work on the PAN firewall.

The reason mine wasn't working out of the box was becaue I had an explicit deny for SIP traffic destined from my network to the Internet. And since the Facetime AppID is dependant on SIP, it failed without logging. Interestingly with the rule disalbed, Facetime is working but sip traffic is still not logged.

L6 Presenter

Re: ALG for Facetime via NAT?

Didnt you get any warning during commit that you had colliding rules?

And which PANOS is it you were using?

Not applicable

Re: ALG for Facetime via NAT?

I was running 4.0.8 (can't remember the exact 4.0 release) and I didn't get a warrning because my policy for traffic destined for the internet from the LAN was 'any' and I just added exclusions to block SIP and SMTP. If I had put an explicit rule allowing Facetime from the LAN to the Internet then I would've gotten an error.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!