01-19-2012 07:35 AM
01-20-2012 12:00 PM
There still is according to: http://apps.paloaltonetworks.com/applipedia//
It looks like it depends on "ichat-av, sip, ssl, stun" which means that you need to allow those aswell (I think you will get an error or warning otherwise if you try to commit with not all dependencies set).
01-23-2012 05:55 AM
mikand wrote:
ALG? Dont you mean Appid?
I mean an Application Layer Gateway which isn't exactly equal to an App-ID, is it?
http://www.paloaltonetworks.com/researchcenter/2010/08/whats-appening-with-apple-facetime/
I did see the PAN AppID for Facetime, was just trying to determine if allowing it was as simple as a rule allowing that application from the Internet to my LAN, or perhaps the other way around since the traffic is actually initiated from my LAN.
01-23-2012 07:31 AM
kbrazil wrote:
There has been an App-ID for facetime for some time and it works fine with NAT. Facetime uses STUN to deal with NAT so it should be seamless anyway.
Cheers,
Kelly
I created a policy from zone Internet to zone Internet from Any IP to my Dynamic NAT IP which allows "facetime, aim-base, web-browsing, ssl, stun, sip, ichat-av" and tested unsuccesfully. The outbond traffic is correctly identified, but the traffic comging back from Apple's servers is allowed, but identified as "insufficient-data."
I assume allowing the AppID alone isn't enough to make it work with a Dynamic NAT? (We're NAT'ing all our clients out the same public IP)
01-23-2012 09:09 AM
Scratch this entire thread, NO inbound rules are required to make Facetime work on the PAN firewall.
The reason mine wasn't working out of the box was becaue I had an explicit deny for SIP traffic destined from my network to the Internet. And since the Facetime AppID is dependant on SIP, it failed without logging. Interestingly with the rule disalbed, Facetime is working but sip traffic is still not logged.
01-23-2012 11:41 AM
Didnt you get any warning during commit that you had colliding rules?
And which PANOS is it you were using?
01-25-2012 05:22 AM
I was running 4.0.8 (can't remember the exact 4.0 release) and I didn't get a warrning because my policy for traffic destined for the internet from the LAN was 'any' and I just added exclusions to block SIP and SMTP. If I had put an explicit rule allowing Facetime from the LAN to the Internet then I would've gotten an error.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
