Palo Alto Networks Firewalls & gaming consoles (xbox, Playstation,..) - Strict NAT

by kfindlen on ‎09-10-2012 12:55 PM (15,754 Views)

Symptoms

XBox or Playstation games & applications are not able to connect to Xbox Live/PlayStationNetwork due to strict NAT being detected

Issue

When connecting to the Xbox Live service or PlayStation Network the console establishes client connections to the service.  When hosting some games, or using some applications, a connection from the Xbox Live service or PlayStation Network inbound to the console is required. If these inbound connections can not be established then the console will report that strict NAT has been detected.

The consoles are compatible with uPnP devices to allow dynamic opening of TCP and UDP ports to forward traffic required for connectivity to the service. uPnP-enabled routers allow port forwarding to be configured on the device dynamically based on requests coming from internal devices. In a uPnP environment, the console will request the appropriate ports be forwarded to allow the traffic.

Palo Alto Networks firewalls are not compatible with uPnP.  Requests from a console via uPnP to open ports will be ignored by the firewall. A 1-to-1 static NAT mapping must be created to forward the appropriate ports to the console from the Xbox Live service or PSN.

Further information on how the Xbox360 uses uPnP with NAT can be found here.

Resolution

Create a static NAT entry to forward all external traffic destined to a particular public IP to the private IP of the console.

Each console behind the firewall will require a public IP and an appropriate NAT mapping.

For information on how to configure a static 1-to-1 destination NAT policy, or bi-directional NAT mapping please refer to the Understanding PAN-OS NAT document.

owner: kfindlen

Comments
by bbigus
on ‎03-12-2014 09:54 AM

Has there been any long term plans for a better solution to support uPnP?  We have many of these devices on our network and don't have the staff or static IPs to provide/configure per device.

by puzzel
on ‎04-17-2014 02:53 AM

We have the same situation. Please consider support for uPnP.

by swoods79
on ‎06-29-2014 07:17 PM

I am unable to get this working properly.  Can you please share more detailed information on proper configuration settings?

by andrew.stanton
on ‎01-15-2015 08:46 AM

Are you kidding me.  You want a business/enterprise firewall provider to enable consumer "plug and play" features which enable any device without authentication or control to request not only traffic to be allowed from the Internet but on any port?

Doubt this would ever happen, and many people would not buy the firewall because just having the ability to configure that would set off many alarms for admins.

by SDorsey
on ‎01-15-2015 06:20 PM

I completely endorse Andrew's take on upnp. It has no place in an enterprise firewall. Upnp enabled anywhere is an automatic finding anytime I'm doing an assessment.

by SDorsey
on ‎01-15-2015 06:21 PM

Configure a bi-directional NAT mapping for the xbox. I did this and it fixed it for me for both psn and xbl.

by puzzel
on ‎02-09-2015 02:59 AM

Yes. It's good enough.

by puzzel
on ‎02-09-2015 03:00 AM

I was thinking about something else, but yes of course you're right.

by BradShows
on ‎03-25-2015 12:22 AM

"Configure a bi-directional NAT mapping for the xbox."
What if there are many xboxes?  I cannot set up all 10.0.0.0/20 IPs for a static 1-1 NAT.  I am also having a similar issue with Vonage as well if users are on a private IP.

by RocksteadyStudios
on ‎04-20-2015 09:27 AM

We have similar requirements here. We keep all consoles on a separate subnet and have policies configured for just those subnets allowing PSN & XBL traffic.

by mario11584
‎11-28-2015 02:52 PM - edited ‎11-28-2015 02:52 PM

For the bi-directional NAT, what if I don't have a static IP (I use PPoE which uses DHCP)? Why can't I use the currently assigned public IP address? I've tried but I don't see that as an option anywhere.

by kbreit
on ‎05-27-2016 12:59 PM

I'm confused about why each Playstation or XBox would need a public IP address. There is no way to have a single external IP address and have certain ports forwarded to it?

by mario11584
on ‎06-29-2016 09:03 AM

The problem I have found with this port forwarding option is in the NAT configs. The suggestion was to create a bi-directional NAT but that doesn't work well for me.

 

A couple of thoughts:

 

Within the NAT configs you have to create your own PSN service (which I just basically copied the ports listed on the playstation application). One of the applications PSN uses is HTTPS so if I have Global Protect, for example, configured on my firewall and I try to hit my GP portal on my static IP at "https://mystaticip" it tries to forward this traffic to my PS4 (I only have on static IP so my PS4 uses the same). The Global Protect Portal never loads. Analyzing traffic logs shows that the firewall is trying to forward  this traff (via NAT rules) to the zone my PS4 lives in, instead of the zone my GP portal lives in.

 

So the bi-directional NAT didn't work for me because it broke other things, specifically inbound traffic. Right now, on my PS4, I'm getting a NAT Type 2, which seems to work just fine. I essentially created a NAT policy that is nearly identical to a bi-directional NAT with out checking the bi-directional option. It would seem to me my "default" NAT policy would do the same trick, but I've found if I removed the one specific to PS4 I start getting a NAT Type 3. I'll have to fiddle around with it more to find what exactly is going on.

 

I'm not sure why applications can't be used in NAT policy. I don't have a deep enough understanding of the PAs to know why that isn't allowed or currently supported. My assumption is app-id hasn't fully occurred yet at the NAT stage. At any rate, using the PSN (or Xbox) applications in NATing decisions I would think could solve this problem if they can be identified at this stage. That would differentiate standard HTTPS traffic from PSN or Xbox HTTPS traffic and translate and route it more accurately.

 

Finally, I get there are those who say UPnP has no place on an enterprise firewall, but neither does telnet, or HTTP, or any number of other insecure applications, but sometimes people need to use those applications, for whatever reason. It should be left up to the administrator to decide what should be allowed and what isn't allowed. Why couldn't an administrator setup a DMZ-like zone where this application is allowed in and only to specific IP addresses? Sure, it opens up the world to that box but isn't that the purpose of a screened subnet? If any any any rules are allowed so should UPnP be allowed. If we're going to complain about one insecure application being allowed on the firewall we should complain about all of them. Just my two cents on that matter.

by kbreit
on ‎06-29-2016 12:11 PM

@mario11584 

 

Great response. My guess is AppID can't work with NAT because it typically takes 5 packets (including handshake) for application identification. If you look at the packet evaluation flow for Palo Alto, NAT policy is evaluated during the initial packet processing whereas AppID is done at the end of the application stage...6 steps later.

 

My fuel for the fire on UPnP is it shouldn't be there. Palo Alto is a security product and UPnP inherently overrides policy. Sure, it could be up to the administrator but it is another feature for Palo Alto to maintain and integrate into the interface. Features aren't free.

 

I ended up creating a static NAT policy for my PS3 in addition to my normal DIPP NAT policy. The bi-directional check box is checked and I'm not doing any DNAT. Playstation's network diagnostics said it's using a NAT type 2 policy. When I loaded a game, it said it's behind NAT type 3 so I need to do a little more research.

by mario11584
on ‎06-29-2016 01:12 PM

@kbreit

 

That makes sense, with regards to the NAT. It needs to be the first thing that occurs so it can be matched with routing and security policies post-NAT.

 

I confirmed that my PS4 system is showing NAT Type 2, but a game shows NAT Type 3 (and flashes warnings across the bottom of the screen). So enabling bi-directional doesn't do anything for me other than mess up my GP portal.

 

ps4NAT.png

It seems the only way to resolve this issue 100% is to create a 1 to 1 NAT, but it's not possible for me, and I'm assuming based on other threads, blogs, etc. it's not possible for most others. I beleive we are at the mercy of Palo Alto Networks to come up with a solution that is compatible with these gaming networks, but is still secure for the environment protected by the firewall.

by mario11584
on ‎06-29-2016 01:18 PM

I don't mean to be spamming this forum, but I thought I would share this link to another post on the same topic. It sounds like another user came up with a different solution that he says is working for him. I have forgotten about it since I first saw it and have not yet given it a try.

 

Here is a direct link to the post (it's a PA community post):

Re: Nat type 2 , type 3 with playstation and xbox

by
on ‎06-29-2016 02:51 PM

@kbreit, The issue here specifically is with UPnP and how it works.  It is completely dynamic in how it communicates, thus making it very difficult to support passing through a firewall onto the Internet. 

 

The solution as has been stated before is to create the 1:1 NAT, but I understand that it makes it very difficult to work properly when you have many devices using UPnP at the same time with 1 IP.

 

Will PaloAltoNetworks ever support UPnP? I do not know. But I can try to ask around and see if support for it will be added any time soon.

 

For more information about this, please see:

https://en.wikipedia.org/wiki/Universal_Plug_and_Play

 

Regards,

Joe Delio

by ChrisCampbell
‎07-21-2016 01:27 PM - edited ‎07-21-2016 01:28 PM

So I got my 1 Xbox console working on the PAN just fine after some plugging away at it.

 

Resulting NAT rule must be in 1st position over the dynamic IP / Port for the general network devices.

 

Create an object for the console mapping to the IP address that is static on the device

Create an object for the public/external IP address of the firewall (if it's DHCP then you'll just have to fix the rule when it changes from the ISP - not that big of a deal every few months)

 

Create a NAT rule for trust to untrust zones, destination interface any, source address is the console, destination is any, service any, source translation = dynamic IP and the object you created for your public/extrenal IP. 

 

I also created an Xbox rule allowing all the required inbound traffic to the xbox for live to work... i'm sure the PS4 would be the same.

 

NAT = Open

P2P games and voice works money

 

Nat Policy

Screen Shot 2016-07-21 at 1.21.08 PM.png

 

Security Policy

Screen Shot 2016-07-21 at 1.24.40 PM.png

 

Hope this helps you guys, if you have multiple consoles then you are gonna need more public address space as far as I can tell with the PanOS as it is now. BTW, i'm running 7.1.3 full full threat, db, wf, etc... 

by EricRuff
on ‎08-09-2016 04:40 PM

Thanks, that helped Chris. Was able to get NAT type 2 on our PS4s. Waiting for some internal testing and then I'll need to figure out an elegant way to deploy it to all of our dev kits. Probably through address groups.

Ask Questions Get Answers Join the Live Community
Contributors