I have some questions regarding GoToMeeting and Security Policies. The System is a PA-3020, which is running on the software version 8.1.2.
For GoToMeeting to work properly, the application stun has to be allowed. I have created a security policy in which I have allowed said stun. Under the monitor tab, I now see that stun is allowed for the port 3478. Nevertheless, I see various other connections with the ports 5060, 9000, 45003, 45004, 45005, 45006 ... which are recognized by the Palo as the application stun, but they are blocked.
Do I have to build a custom application, in which I allow the various ports, or exists a separate stun application, where the individual ports are included?
What do I have to do, that the audio(Microphone) works properly - everything else from GoToMeeting works like a charm.
Stun should only utilize tcp/udp 3478 if utilizing standard ports, and for some reason Palo doesn't include the default 5349 for TLS connections within that app-id. The 5060 port should be seen as SIP not stun. As for the other ports that shouldn't actually be related to GoToMeeting.
Take a look at how the 5060 and 5061 traffic is actually being identified and if it is all getting allowed. That would be the ports utilized for actual audio.
Thank you for your answer @BPry
For some reason if one ouf our users uses GoToMeeting, I see under the "Monitor tab", that the Port 5060 with the detected application stun is blocked. So our Palo detects this connection as if stun is used, not sip.
I created a custom application for stun audio, in which i allowed the port 5060 (tcp and udp). I created a security policy and added that custom application and the said user to it.
The traffic from port 5060/stun is still blocked. Can I simply add the Port 5060 to the app-id stun and lets say simply allow a connection on port 5060 when the application stun is detected?
Can you give me the best way and describe on what to do?
Do you have the latest version of Application and Threats installed on your firewall or are you running something that is outdated? You can't add an additional port to a built-in application like stun; how exactly did you create the custom application, If I would have to guess your signature you attempted to create was incorrect or you didn't create a signature so it wouldn't have been identified as your custom app-id.
To allow any instance of stun on 5060 you would need to create a security policy with the app-id 'stun' and then create two service objects, one for tcp/5060 and one for udp/5060, and utilize the new service objects in your security policy instead of application-default. I wouldn't recommend doing so, as you still need to deal with the fact that it isn't identifying traffic correctly anyways.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!