I'm trying to block skype for one group of users (whitch are in 'l3-trust' security zone) and allow for second group (which are in 'l3-trust2' security zone).
Both zones: 'l3-trust' and 'l3-trust2' are source-NATed to 'l3-untrust' zone, one interface, one IP address.
I made policy rule allowing skype-probe from 'any' zone to 'any' zone and second policy which blocked skype from 'l3-trust' zone to 'l3-untrust'.
Unfortunately all users (from both trusted security zones) have access to skype.
Even, when I modify second rule and add also 'l3-trust2' to blocked zone for skype, skype is working for everyone.
I suspect some network misconfiguration, so I attach configuration screens.
Try to make a skype call ( not the test call ) to one of the contacts from l3-trust zone and now look at the sessions information you do this via " show session info"
. Now from the sessions look wether the l3-trust users are hitting the correct security rule or not. Also in the sessions, look for what is the application. You should not see any thing other than Skype-probe or Skype. If application and the security rules are correct I do not see any reason for this to fail.
In report of 'show session all' I see that PAN recognize skype (even skype IM) as a 'skype' application and there is also skype-probe of course.
But I didn;t told you about important thing, and I'm wondering now that is so matter in my case?
All my tests I'm doing on my laptop where I have Windows 7 installed, and it hosts virtual enviroment (VMWare Workstation) in whch I have virtual PAN and virtual Windows XP machine installed.
All traffic from virtual Windows XP is going through virtual PAN (secured, NATed and routed by virtual PAN), after that NATed to my physical interface (by VMware network mechanism) and after that routed to Internet..From the virtual Windows XP perspective, my Windows 7 host OS (and let say Internet) is in untrust zone.
I'm wondering now that could cause some impact for skype?
I observe that when I completelty block every traffic/applicaiton on virtual PAN, and when I launch Skype on virtual Windows XP it doesn't work. But when I'm launch Skype on my Windows 7 host OS and restart Skype on virtual Windows XP it's start wokring and I can do call from Windows XP to Windows7.
Well, as I mentioned both machines are zone based secured, but to be honest they have 'shared' network interfaces.
Virtual Palo Alto has 3 interfaces:
- untrust which is VMnet8 (NATed by VMWare interface)
- trust which is VMnet1 (host-only, isolated interface)
- trust2 which is VMnet2 (host-only, isolated interrface)
Virutal Windows XP has only one interface which is in trust zone and it is VMNet1 interface.
Host OS - Windows 7 of course sees alle above interfaces: VMnet8, VMnet1 and VMnet2, becuase it runs VMWare Workstaiton, which creates all this interfeaces.
So maybe skype could use it in some magic way nad this cause me problem?
If yes how to fix it and block skype?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!