02-24-2012 01:06 PM
So, interesting thing. We use a PA-500 for our enterprise guest networks. We currently have a couple rules that go like this:
1. Allow guest networks to use Skype / Skrype-Probe
2. Block guest networks from using Risk 4 and 5 P2P (this catches stuff like Bittorrent, etc.)
We just got an email that someone on our guest network is torrenting. Low and behold the PA is still letting the app "bittorrent" through even though its blocked in that application filter.
Thoughts?
02-24-2012 02:33 PM
If im not mistaken the logs in PA should show you which rule allowed the traffic.
Verify so you dont in an earlier rule somehow allow bittorrent (since PA use a top-down first-match rule-engine similar to cisco acl) either directly (like allowing risk=5) or indirectly (allowing appid=any where you through you would just let some ipaddresses through without filtering or such).
02-24-2012 03:22 PM
That's the thing. I saw that and it's being allowed by the rule that only has the skype apps allowed.
Maybe the PA is messing port classifications and thinks it's seeing bittorrent when it's seeing skype? Or, some torrent traffic is using skype ports?
02-25-2012 02:32 AM
The thing is that PA doesnt care about ports unless you limit the rule by specify which ports you wish to allow through in "service" column.
So if you allow skype and nothing else then only skype should be allowed. However if a specific flow first acts like skype and then change into bittorrent then it should been blocked (if you only allow skype).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
