how to block skype for 'trust' zone and allow for 'trust2' zone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

how to block skype for 'trust' zone and allow for 'trust2' zone

L1 Bithead

Hi,

I'm trying to block skype for one group of users (whitch are in 'l3-trust' security zone) and allow for second group (which are in 'l3-trust2' security zone).

Both zones: 'l3-trust' and 'l3-trust2' are source-NATed to 'l3-untrust' zone, one interface, one IP address.

I made policy rule allowing skype-probe from 'any' zone to 'any' zone and second policy which blocked skype from 'l3-trust' zone to 'l3-untrust'.

Unfortunately all users (from both trusted security zones) have access to skype.

Even, when I modify second rule and add also 'l3-trust2' to blocked zone for skype, skype is working for everyone.

I suspect some network misconfiguration, so I attach configuration screens.

Please help!

4 REPLIES 4

L6 Presenter

The configuration looks OK. Can you please run the following commands.  R u trying to test this with SKYPE Test call ? because Skype test call works even you block skype .

Try to make a skype call ( not the test call ) to one of the contacts from l3-trust zone and now look at the sessions information you do this via " show session info"

. Now from the sessions look wether the l3-trust users are hitting the correct security rule or not. Also in the sessions, look for what is the application. You should not see any thing other than Skype-probe or Skype. If application and the security rules are correct I do not see any reason for this to fail.

Tx,
Sandeep T

Hi,

Voice calls are blocked, but chat is still possible. Wold be much more efficient just to completly block user login to skype. Is it possible in general, and if not how to disable chating in skype?

What does the traffic log show? Is everything showing up as Skype-base? Are you using a merged Skype/Live messenger account to test? The Skype program will use both the Live Messenger application and Skype-base application for chat if it is a merged account.

In report of 'show session all' I see that PAN recognize skype (even skype IM) as a 'skype' application and there is also skype-probe of course.

But I didn;t told you about important thing, and I'm wondering now that is so matter in my case?

All my tests I'm doing on my laptop where I have Windows 7 installed, and it hosts virtual enviroment (VMWare Workstation) in whch I have virtual PAN and virtual Windows XP machine installed.

All traffic from virtual Windows XP is going through virtual PAN (secured, NATed and routed by virtual PAN), after that NATed to my physical interface (by VMware network mechanism) and after that routed to Internet..From the virtual Windows XP perspective, my Windows 7 host OS (and let say Internet) is in untrust zone.

I'm wondering now that could cause some impact for skype?

I observe that when I completelty block every traffic/applicaiton on virtual PAN, and when I launch Skype on virtual Windows XP it doesn't work. But when I'm launch Skype on my Windows 7 host OS  and restart Skype on virtual Windows XP it's start wokring and I can do call from Windows XP to Windows7.

Well, as I mentioned both machines are zone based secured, but to be honest they have 'shared' network interfaces.

Virtual Palo Alto has 3 interfaces:

- untrust which is VMnet8 (NATed by VMWare interface)

- trust which is VMnet1 (host-only, isolated interface)

- trust2 which is VMnet2 (host-only, isolated interrface)

Virutal Windows XP has only one interface which is in trust zone and it is VMNet1 interface.

Host OS - Windows 7 of course sees alle above interfaces: VMnet8, VMnet1 and VMnet2, becuase it runs VMWare Workstaiton, which creates all this interfeaces.

So maybe skype could use it in some magic way nad this cause me problem?

If yes how to fix it and block skype?

  • 6182 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!