Application Override Video & Voice

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Application Override Video & Voice

L3 Networker

We have Palo Alto firewalls, version 8.1.x. We heavily use Webex (application and physical boards), Jabber, and MS Teams both in the Corporate office and by GlobalProtect VPN users. I'm considering using Application Override for many of these Voice and Video applications, especially I see a large amount of cisco-spark-audio-video App-ID traffic as well as jabber, sip, ms-teams, and webex-base.

 

In my lab, I created about two dozen Application Override policies specifying the protocol, port, and application, though when applied, I received shadowing warnings. I"m concerned if just the port number is being used, which some are port 443, 5004, and 33434. Could this affect common traffic, too, like web traffic, even though I specified the application? I feel these applications should not go through application inspection. What are others doing or have suggestions concerning these applications?

I appreciate any help.

 

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.
3 REPLIES 3

Cyber Elite
Cyber Elite

why would you use overrides? (can you elaborate why you feel these apps shouldn't be inspected? just curious)

if there are issues getting these apps through NAT, you can still disable the ALG in the app

 

these will most certainly affect other traffic flows using the same ports

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

We have had intermittent issues with voice calls (Jabber) and some Webex connectivity issues; before the recent world events but continue to this day. I know voice and video are sensitive and wonder if they should be inspected.

 

We also had an issue with one of our primary firewalls, that when we had a large number of VPN users connected the firewall choked. Palo Alto Support saw a large number of cisco-spark-audio-video traffic, which was being inspected and recommended to create an Application Override.

I appreciate your help.

 

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.

Hello,

It sounds like the PAN is under powered. I'm also going to guess that an upgrade is not in the budget? Check into streamlining your policies and see where changes can be made.

 

I say start with the BPA tool and see if it can find anything.

 

https://docs.paloaltonetworks.com/best-practices

 

Regards,

  • 5394 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!