04-17-2025 07:52 AM
Currently have a PA-440 at home and trying to setup Signal messaging application. I know the application is cert-pinned and therefore cannot be decrypted. To get it to work, I added to the SSL Exclusion Decryption list the following hosts/domains per the Signal website:
https://support.signal.org/hc/en-us/articles/360007320291-Firewall-and-Internet-settings
*.signal.org
signal.art
signal.group
signal.link
signal.me
signal.tube
Text messaging and calling works, but the only application I’m seeing in the logs are SSL/443. I don’t see signal-base or signal-file-transfer applications in the logs.
When I make a call from my iphone, I see in the logs UDP/dynamic ports are getting dropped. Some of random dynamic UDP ports are identified as STUN traffic, and others are “not applicable”. I thought this traffic was supposed to be covered with the signal-base application.
In my security policy, signal-base, signal-file-transfer and SSL are included in my overall trusted outbound rule. I do have STUN application added too but all are set to application-default.
Is this normal behavior for the signal application?
04-22-2025 09:26 AM
Hello,
What you are seeing is correct. Since the decryption is not happening, the PAN cannot determine the proper application, hence just ssl/443.
Regards,
04-22-2025 11:07 AM
@OtakarKlier wrote:
Hello,
What you are seeing is correct. Since the decryption is not happening, the PAN cannot determine the proper application, hence just ssl/443.
Regards,
I would agree, but then why would Palo have APP-IDs for signal other than the base if decryption is needed, yet decryption for signal isn't a viable option?
04-22-2025 11:07 AM
Thanks for the feedback. I didn't understand why I was seeing the UDP/dynamic traffic drops when making a phone call. The call does go through, but I was surprised to the this traffic in the logs. If I'm just sending text only, the logs are showing the SSL/443 traffic which makes sense.
04-22-2025 11:25 AM
@shoot0267 -- You shouldn't need decryption for things like "base" apps to show up. Even undecrypted traffic the SNI is seen, and "signal-base" should be showing up in traffic logs. There's probably an issue with legit signal traffic not matching the app-id correctly, it's probably best to open a support case so the app-id matches.
04-22-2025 11:48 AM
Yeah, I'm not decrypting any of the Signal traffic. About a month ago, I did see in my logs app-id "signal-file-transfer" but never saw "signal-base". Now, I'm only seeing SSL/443 for chat messages. I guess the Signal application on the iphone may have changed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
