I am curious what others are doing for some protocols: Examples: DNS, ocsp, STUN, meraki, apple push notification, etc. It seems to me that these sorts of things could be let go for pretty much all users, anytime and be excluded from the captive portal. Correct?
I have a couple fo reasons for this question:
1. I am having issues with Facetime which I believe is occurring because device is trying to talk to the apple servers before the user has yet to authenticate to the captive portal.
2. STUN is trying to get out on some ports which are "nonstandard". It seems that I could let STUN go on any port.
If you are having issue with facetime then you can allow that as an applicaiton instead of using the ports. You can configure the Palo Alto firewall to either allow the traffic based on ports or applications. If it is allowed based on application then it checks the traffic and even if it is on non-standard ports it allows it.
If you allow it as an application then firewall will check the traffic and make sure which ever session belongs to facetime is allowed .
Here is the application details on face time from the firewall
Another thing to notice here is that facetime has dependent application as well. So if you block those applications before the rule of face time then you might not be able to get the facetime going.
Hopefully this helps.
The facetime problem is a bit tricky as I believe it has something to do with traffic going out pre captive portal.
Thank you for your reply. I have enabled the dependencies. I have a rule at the bottom of my ruleset which blocks all protocols that get that far. For STUN in particular I am seeing a lot of traffic to ports other than the default of 3478 which are being blocked by my bottom most rule. So this goes back to part of the question. Would it be beneficial (or detrimental) to have a rule that allows STUN to go out on any port or just stick with the default of 3478? Right now I have a rule that lets STUN out for "application default" only, thus udp 3478.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!