Problems with Skype rule letting traffic through

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problems with Skype rule letting traffic through

Not applicable

Hi,

I am trying to configure a rule on the PA2050 to allow SKYPE out of the network, and I am seeing a bit of a security hole in the app rule.

I have set it up using the document:

https://live.paloaltonetworks.com/docs/DOC-1505/controllingskype.pdf

I have:

From Zone: Trust

to Zone: Untrust

Address: <My Workstation>

Application: SKYPE, SKYPE-PROBE, UNKNOWN-UDP

Service: Application Default

If I do a telnet to an IP address on the internet on a random port, it gets through OK using this rule, in the logs I see:

From <My Workstation>, to <Internet Address>, <Port Numbers>, Application Incomplete, action ALLOW, Rule <Skype Allow Rule>

At the other end I can see the TCP connection establish correctly.

The firewall should be blocking the traffic, as the traffic is NOT skype traffic, but it seems using SKYPE as the application ID it will allow any other unwanted traffic out.

Have I done something wrong in setting up the rule, or is this a bug?

Thanks

1 accepted solution

Accepted Solutions

L3 Networker

jenkinsp,

Your rule appears to be configured correctly and the firewall is also acting as it should.

The PAN firewall will allow sessions to be created based on the 6-tuple key (source_address, destination_address, source_port, destination_port, protocol & security_zone) so that enough data (Layer7) packets can flow through, in order for the application engine to identify the application.

Once the app engine identifies your traffic as SKYPE or otherwise, then the firewall makes the decision to allow or deny the rest of the traffic based on the identified application.

For your test, when you telnet to the external IP and port, the firewall would first create a session with the application as 'undecided', which is enough to allow the SYN, SYN/ACK, ACK through, and that is why you see a successfully formed TCP session.

As soon as you try to pass other traffic in this telnet session, however, the app engine will detect the correct application and the firewall either permits or denies it based on the rest of your configured security rules.

You can use the CLI command 'show session all filter destination <dest_IP_address> destination-port <port_#>' to confirm how the firewall identifies the application of your (telnet) traffic.

Hope this helps.

Regards,

tasonibare

View solution in original post

4 REPLIES 4

L3 Networker

jenkinsp,

Your rule appears to be configured correctly and the firewall is also acting as it should.

The PAN firewall will allow sessions to be created based on the 6-tuple key (source_address, destination_address, source_port, destination_port, protocol & security_zone) so that enough data (Layer7) packets can flow through, in order for the application engine to identify the application.

Once the app engine identifies your traffic as SKYPE or otherwise, then the firewall makes the decision to allow or deny the rest of the traffic based on the identified application.

For your test, when you telnet to the external IP and port, the firewall would first create a session with the application as 'undecided', which is enough to allow the SYN, SYN/ACK, ACK through, and that is why you see a successfully formed TCP session.

As soon as you try to pass other traffic in this telnet session, however, the app engine will detect the correct application and the firewall either permits or denies it based on the rest of your configured security rules.

You can use the CLI command 'show session all filter destination <dest_IP_address> destination-port <port_#>' to confirm how the firewall identifies the application of your (telnet) traffic.

Hope this helps.

Regards,

tasonibare

L6 Presenter

Good morning, have you found the correct destination dns name (skype sistes) that must be trusted for allowing Skype the connection?

  • 1 accepted solution
  • 4236 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!