Palo Alto and Polycom Relpresence Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto and Polycom Relpresence Issue

L2 Linker

Hi All,

 

Having issue using Polycom mobile.

 

On our side: No video and audio

On Dialed no: Video and Audio is working

 

we translate trust network to a specific public address and allow

 

Policy:

trust network -> untrust to any destination and service.

Untrust (public address of peer) -> Trust any destination and service.

 

Palo Alto ALGs - Disabled

 

If we have this NAT traversal issues in VoIP communications how can we solve this?

 

Based on my research possible that the outside address of the packet get translated, not the inside contents.

 

Thank you

7 REPLIES 7

L3 Networker

What do your NAT and Security policies look like? Do you have any other traffic being NAT'd successfully?

Cyber Elite
Cyber Elite

It sounds like you are utilizing a NAT that looks similar to the one I've screenshoted, but directly to one public IP. If that's the case then you are likely hitting a session issue as the Polycom software is going to try and open ports that you have not already started a session with and the firewall doesn't know where to send those packets. 

When utilizing video conferencing services it's best to do a static NAT or PAT and build security policies around it. Just from past experiance working with Polycome Realpresence I can tell you that you are running into a port access issue. I'll look in my documentation and see if I still have what ports the software needed from the last time I worked with it. But most importantly if you only have 1 Public IP address and you can't seperate this out you'll likely never have a good experiance without a PAT pointing things back to your RealPresence device. 

Translation work fine on the device. thanks

Created a Static nat (Bi-directional) from my realpresence private to 1 specific public address, will run another test later.

L2 Linker

UPUP

I'm not sure why you are raising this again? You said that you configured a static bi directional NAT and would run some tests, what did you discover during your tests? With the static NAT are you still experiancing the issue or not, if you remove the security policies from the NAT address and allow all traffic does the issue go away or is it still present, and lastly have you tried this on another network to make sure that this isn't an issue with your RealPresence install/settings. 

L7 Applicator

I supported a similar setup a few years ago.  Basically these systems create random high port streams to send the audio and video data.  As you can see from your symtoms the control is setup but some of these streams are blocked.

 

Option 1: get the ALG to work - the ALG is designed to recognize the needed ports are part of an approved session and open a pinhole for that traffic to come back into the firewall on these random ports.   You need to know which system H323 or SIP your system is using.  then follow the policy setup instructions so the traffic can correctly hit the ALG.

 

Option 2: Open the wide range of ports - your system will designate a range of high ports for these streams to the device.  If you can't get the ALG to work you will need to open the entire range of ports to permit in from untrust to your device the possible audio/video feeds.  Find the configuration where this port range is set and create the inbound allow policy.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 3864 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!