ALG for Facetime via NAT?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ALG for Facetime via NAT?

Not applicable

We're running 4.0.5 and Facetime does not work as the packets coming from Apple's servers via the Internet are dropped. I noticed there was an ALG for H.323 in 4.1 but wasn't sure if that was related to Facetime or if there was anothe work around.

8 REPLIES 8

L6 Presenter

ALG? Dont you mean Appid?

L4 Transporter

There has been an App-ID for facetime for some time and it works fine with NAT.  Facetime uses STUN to deal with NAT so it should be seamless anyway.

Cheers,

Kelly

There still is according to: http://apps.paloaltonetworks.com/applipedia//

It looks like it depends on "ichat-av, sip, ssl, stun" which means that you need to allow those aswell (I think you will get an error or warning otherwise if you try to commit with not all dependencies set).

mikand wrote:

ALG? Dont you mean Appid?

I mean an Application Layer Gateway which isn't exactly equal to an App-ID, is it?

http://www.paloaltonetworks.com/researchcenter/2010/08/whats-appening-with-apple-facetime/

I did see the PAN AppID for Facetime, was just trying to determine if allowing it was as simple as a rule allowing that application from the Internet to my LAN, or perhaps the other way around since the traffic is actually initiated from my LAN.

kbrazil wrote:

There has been an App-ID for facetime for some time and it works fine with NAT.  Facetime uses STUN to deal with NAT so it should be seamless anyway.

Cheers,

Kelly

I created a policy from zone Internet to zone Internet from Any IP to my Dynamic NAT IP which allows "facetime, aim-base, web-browsing, ssl, stun, sip, ichat-av" and tested unsuccesfully. The outbond traffic is correctly identified, but the traffic comging back from Apple's servers is allowed, but identified as "insufficient-data."

I assume allowing the AppID alone isn't enough to make it work with a Dynamic NAT? (We're NAT'ing all our clients out the same public IP)

Scratch this entire thread, NO inbound rules are required to make Facetime work on the PAN firewall.

The reason mine wasn't working out of the box was becaue I had an explicit deny for SIP traffic destined from my network to the Internet. And since the Facetime AppID is dependant on SIP, it failed without logging. Interestingly with the rule disalbed, Facetime is working but sip traffic is still not logged.

Didnt you get any warning during commit that you had colliding rules?

And which PANOS is it you were using?

I was running 4.0.8 (can't remember the exact 4.0 release) and I didn't get a warrning because my policy for traffic destined for the internet from the LAN was 'any' and I just added exclusions to block SIP and SMTP. If I had put an explicit rule allowing Facetime from the LAN to the Internet then I would've gotten an error.

  • 4812 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!