I have encountered an issue where a downloaded client installed on Internet Explorer called Aspera client for downloading video content experienced an error.It states to check the UDP port and firewall based on code 15.
Since this is application based (HTTP), where is the most effective place to allow and create the rule for the client to download?
Do I create a "security" rule or create a "application overide"?
I want to be able to allow a source zone or ip (trusted) to allow traffic connections to an ip (untrusted zone) on port udp 33001.
BTW, this site is http://asperasoft.com/en/support/troubleshooting_3/2_Connect_Timeout_4 is where the support is based. I didn't see the application listed either in the PA firewall applications listing either.
From the description of the error message, it seems that the control connection over TCP is established, but the data connection, using UDP 33001 cannot be established. To resolve this, you first need to create a service under Objects -> Services. Create a service called "Aspera" for protocol UDP and destination port 33001 (do not define a source port as it will probably be random).
Then create a security rule under Policies -> Security like the following:
Source Zone: Trusted
Source Address: Define private source addresses you wish to allow through the firewall or set to "any" to allow everyone.
Destination Address: Any, or a specific Aspera IP address(s) if known.
This rule should be placed above your deny rules.
Thank you for answering my question....
I've added both objects-- services and polcies--security rule to the FW, however after committing the changes and testing, it still doesn't seem to allow download of the video content. It just states "connecting" but no go.
I've included a snapshot of the event of what occurs when using Aspera webclient and the rules added.
Perhaps I've missed something?
You configurations look fine. You might want to configure a clean-up (src zone: trust, dst zone: untrust, action deny) rule at the bottom of your security policies in order to determine what traffic is being blocked by PAN. You can then filter the traffic logs based on your Source IP address to check if anything is being blocked. I would also suggest checking your URL filtering logs and threat logs to make sure nothing is being denied there.
By default, PAN will only generate logs for traffic that matches a defined security policy. If traffic from one zone to another is not explicity allowed by a security policy, it is blocked by an implicit deny policy (not visible in security policies) and these denys will not be logged in the traffic logs. For troubleshooting purposes, we can setup a cleanup rule to log traffic that would be implicitly denied.
The cleanup rule would look like:
Source Zone: Trusted
Source Address: any
Destination Address: any
Make sure that the cleanup rule is at the bottom of your security policies. Security policies are read from Top to Bottom.
- Once changes have been committed, you can check the traffic logs under Monitor-> Logs-> Traffic. From there you can click on the source IP address and filter the logs based on it. This would show us if any traffic from the Aspera client is being denied. You can then modify the security policies to allow the traffic being denied.
For debug-purposes it can be handy that you set your last cleanup rule to not only log on "session end" but also at "session start" (otherwise you would need to wait for the flow to finish before it shows up in the PAN logs).
Usually session end gives you trafficvolume and application (which session start cannot show) so in case you dont need to know these (since the deny should be on the first bad packet) you can set the cleanup rule to only log on "session start" instead of "session end" (otherwise your log volume will go up if you didnt do this before).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!