Exposing Videoconference - "Incomplete" traffic allowed

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exposing Videoconference - "Incomplete" traffic allowed

L4 Transporter
Hi all

I have tried to expose Videoconference system behind Palo Alto.
Unfortunately using App ID in security policy I have seen Palo Alto allows a lot of "incomplete" traffic.

That's really an issue: When enabling h.323 in security Policy App id engine starts to allows every port in order to find something related to this protocol and obviously you will see in the traffic log incomplete as" session end-reason".

Which is the best practice in this kind of situation?

Thanks in ⎌advance


I'm tryng to configure a strong "Zone protection" profile.. 



Don't jump to strong Zone Protection immidiately.

Go in steps.

From my experience.

Company with 2 sites.

Strict ip and port scan restrictions in Zone protection.

Guy from one site tried to call to guy at other site.

He used Skype that likes to probe what open ports other peer has.

And firewall of site 1 blacklisted site 2. VPN and all intra company traffic were blocked.

Now with newer releases you can exclude some ip's in Zone protection so this helps 🙂

Enterprise Architect, Security @ Cloud Carib Ltd

Hi @Raido_Rattameister,


Do you think it's possible to apply "zone protection" on DMZ? Or I have to apply this profile on the "OUTSIDE" zone?

I have tried to apply it on DMZ, and test it (configured minimum threshold) with a port scan via NMAP.. No threat logs generated.


On which zone "zone protection" has to be applied?



You can apply zone protection on whatever zone you wish, and really you should have one for your DMZ and your OUTSIDE zones if you have both. Depending on how you have things setup would indicate what zone your traffic shows, but you can verify this in your traffic log by (addr in publicip) and seeing what your destination zone is for traffic going to that address. 

@TheRealDiz As @BPry mentioned you should enable Zone protection to both zones.

Traffic that is initiated from wan towards DMZ is checked by Zone protection profile on wan (ingress) zone.

Enterprise Architect, Security @ Cloud Carib Ltd
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!