ALG? Dont you mean Appid?
I mean an Application Layer Gateway which isn't exactly equal to an App-ID, is it?
I did see the PAN AppID for Facetime, was just trying to determine if allowing it was as simple as a rule allowing that application from the Internet to my LAN, or perhaps the other way around since the traffic is actually initiated from my LAN.
There has been an App-ID for facetime for some time and it works fine with NAT. Facetime uses STUN to deal with NAT so it should be seamless anyway.
I created a policy from zone Internet to zone Internet from Any IP to my Dynamic NAT IP which allows "facetime, aim-base, web-browsing, ssl, stun, sip, ichat-av" and tested unsuccesfully. The outbond traffic is correctly identified, but the traffic comging back from Apple's servers is allowed, but identified as "insufficient-data."
I assume allowing the AppID alone isn't enough to make it work with a Dynamic NAT? (We're NAT'ing all our clients out the same public IP)
Scratch this entire thread, NO inbound rules are required to make Facetime work on the PAN firewall.
The reason mine wasn't working out of the box was becaue I had an explicit deny for SIP traffic destined from my network to the Internet. And since the Facetime AppID is dependant on SIP, it failed without logging. Interestingly with the rule disalbed, Facetime is working but sip traffic is still not logged.
I was running 4.0.8 (can't remember the exact 4.0 release) and I didn't get a warrning because my policy for traffic destined for the internet from the LAN was 'any' and I just added exclusions to block SIP and SMTP. If I had put an explicit rule allowing Facetime from the LAN to the Internet then I would've gotten an error.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!