Application Override Video & Voice

Reply
Highlighted
L2 Linker

Application Override Video & Voice

We have Palo Alto firewalls, version 8.1.x. We heavily use Webex (application and physical boards), Jabber, and MS Teams both in the Corporate office and by GlobalProtect VPN users. I'm considering using Application Override for many of these Voice and Video applications, especially I see a large amount of cisco-spark-audio-video App-ID traffic as well as jabber, sip, ms-teams, and webex-base.

 

In my lab, I created about two dozen Application Override policies specifying the protocol, port, and application, though when applied, I received shadowing warnings. I"m concerned if just the port number is being used, which some are port 443, 5004, and 33434. Could this affect common traffic, too, like web traffic, even though I specified the application? I feel these applications should not go through application inspection. What are others doing or have suggestions concerning these applications?

I appreciate any help.

 

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.
Highlighted
L7 Applicator

why would you use overrides? (can you elaborate why you feel these apps shouldn't be inspected? just curious)

if there are issues getting these apps through NAT, you can still disable the ALG in the app

 

these will most certainly affect other traffic flows using the same ports

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L2 Linker

We have had intermittent issues with voice calls (Jabber) and some Webex connectivity issues; before the recent world events but continue to this day. I know voice and video are sensitive and wonder if they should be inspected.

 

We also had an issue with one of our primary firewalls, that when we had a large number of VPN users connected the firewall choked. Palo Alto Support saw a large number of cisco-spark-audio-video traffic, which was being inspected and recommended to create an Application Override.

I appreciate your help.

 

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.
Highlighted
Cyber Elite

Hello,

It sounds like the PAN is under powered. I'm also going to guess that an upgrade is not in the budget? Check into streamlining your policies and see where changes can be made.

 

I say start with the BPA tool and see if it can find anything.

 

https://docs.paloaltonetworks.com/best-practices

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!