Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

RTCP issue for matching policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

RTCP issue for matching policy

L4 Transporter

Hi,

 

We are having a issue with RTCP traffic. The RTCP traffic is jumping the rule configured for this and matching the last rule (bypass).

 

The filter for the correct rule is application rtcp. We see that the application is identified but sometime is matching the correct and most of the times the last rule.

 

I attach the screenshots with the logs. 

 

what could be the reason? Its not about the first packet is taking the less restrictive rule because the app is being identified in all the moment,

 

 

 

 

 

 

 

 

 



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
7 REPLIES 7

Cyber Elite
Cyber Elite

@BigPalo,

So even though RTCP is documented as udp/dyanmic, I've had similar issues when using application-default instead of any or a custom service range. I'd test if you get the same behavior setting the RTCP traffic to use any service to your telco host(s). If you have anything other than RTP/RTCP traffic in this rule I'd personally separate the traffic out so that only RTP/RTCP isn't limited to application-default.

We already tried to put "any" in service (not app-deafult) but the some sessions are jumping the rule.

L4 Transporter

any idea

Cyber Elite
Cyber Elite

Hello,

What code version are you running? I have some 5220's running 10.1.6-H3 and am seeing the same issue. Think its a bug and waiting another week to go to 10.1.7.

https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-1/pan-os-release-notes/pa...

 

Regards,

 

Do you have the bugID for this issue? i would need to confirm it. thanks

Cyber Elite
Cyber Elite

Hello,

I do not. I have a case opened however. Will check to see if 10.1.7 resolves the issue.

Regards,

Cyber Elite
Cyber Elite

Hello,

I read the release notes for 10.1.7 and there is a fix for the following:

 

PAN-194408
Fixed an issue where, when policy rules had the apps that implicitly depended on web browsing configured with the service application default, traffic did not match the rule correctly.

 

Not sure if its the issue you are facing, but worth a read.

Regards,

  • 3578 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!