We have Palo Alto firewalls, version 8.1.x. We heavily use Webex (application and physical boards), Jabber, and MS Teams both in the Corporate office and by GlobalProtect VPN users. I'm considering using Application Override for many of these Voice and Video applications, especially I see a large amount of cisco-spark-audio-video App-ID traffic as well as jabber, sip, ms-teams, and webex-base.
In my lab, I created about two dozen Application Override policies specifying the protocol, port, and application, though when applied, I received shadowing warnings. I"m concerned if just the port number is being used, which some are port 443, 5004, and 33434. Could this affect common traffic, too, like web traffic, even though I specified the application? I feel these applications should not go through application inspection. What are others doing or have suggestions concerning these applications?
I appreciate any help.
why would you use overrides? (can you elaborate why you feel these apps shouldn't be inspected? just curious)
if there are issues getting these apps through NAT, you can still disable the ALG in the app
these will most certainly affect other traffic flows using the same ports
We have had intermittent issues with voice calls (Jabber) and some Webex connectivity issues; before the recent world events but continue to this day. I know voice and video are sensitive and wonder if they should be inspected.
We also had an issue with one of our primary firewalls, that when we had a large number of VPN users connected the firewall choked. Palo Alto Support saw a large number of cisco-spark-audio-video traffic, which was being inspected and recommended to create an Application Override.
I appreciate your help.
It sounds like the PAN is under powered. I'm also going to guess that an upgrade is not in the budget? Check into streamlining your policies and see where changes can be made.
I say start with the BPA tool and see if it can find anything.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!