Allowing some protocols from any user/port?

L4 Transporter

Allowing some protocols from any user/port?

I am curious what others are doing for some protocols:  Examples:  DNS, ocsp, STUN, meraki, apple push notification, etc.  It seems to me that these sorts of things could be let go for pretty much all users, anytime and be excluded from the captive portal.  Correct?

I have a couple fo reasons for this question:

1.  I am having issues with Facetime which I believe is occurring because device is trying to talk to the apple servers before the user has yet to authenticate to the captive portal.

2.  STUN is trying to get out on some ports which are "nonstandard".  It seems that I could let STUN go on any port.



L5 Sessionator

Re: Allowing some protocols from any user/port?

Hi Bob,

If you are having issue with facetime then you can allow that as an applicaiton instead of using the ports. You can configure the Palo Alto firewall to either allow the traffic based on ports or applications. If it is allowed based on application then it checks the traffic and even if it is on non-standard ports it allows it.

If you allow it as an application then firewall will check the traffic and make sure which ever session belongs to facetime is allowed .

Here is the application details on face time from the firewall


FaceTime is a video calling software feature for iPhone 4's phone application, developed by Apple. It is based on numerous open standards: H.264 and AAC - video and audio codecs; SIP - IETF signaling protocol for VoIP; STUN, TURN, and ICE - IETF technologies for traversing firewalls and NAT; RTP and SRTP - IETF standards for delivering real-time and encrypted media streams for VoIP.

tcp/80,443,3478-3497,4080,5223, udp/3478,16384-16387,16393-16402

ichat-av, sip, ssl, stun, web-browsing

Another thing to notice here is that facetime has dependent application as well. So if you block those applications before the rule of face time then you might not be able to get the facetime going.

Hopefully this helps.

Thank you


L4 Transporter

Re: Allowing some protocols from any user/port?

The facetime problem is a bit tricky as I believe it has something to do with traffic going out pre captive portal.

Thank you for your reply.  I have enabled the dependencies.  I have a rule at the bottom of my ruleset which blocks all protocols that get that far.  For STUN in particular I am seeing a lot of traffic to ports other than the default of 3478 which are being blocked by my bottom most rule.  So this goes back to part of the question.  Would it be beneficial (or detrimental) to have a rule that allows STUN to go out on any port or just stick with the default of 3478?  Right now I have a rule that lets STUN out for "application default" only, thus udp 3478.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!