This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

RTP traffic not matching App-ID Rule

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

RTP traffic not matching App-ID Rule

Go to solution
IanGraham
L1 Bithead

‎01-08-2024 12:37 PM - edited ‎01-08-2024 12:45 PM

I have a strange issue where I have a configured rule to allow the "rtp" and "rtcp" App-IDs with application-default service from any-to-any. Below that rule I have a generic permit-any rule with application service any. Screenshots below. The behavior I am running into is that positively identified rtp and rtcp sessions are not matching my higher rule, and instead are flowing down to the permit-any-any rule, however when I check the security logs, they are showing the app being correctly identified as rtp or rtcp.

 

There doesn't appear to be anything in common between the traffic that does or does not match, such as a port number. The APP-ID for RTP lists the port range as dynamic so I am assuming this isn't an issue related to the port range.

 

I also looked into weather or not the issue is related to pinhole traffic from the SIP session which sets up the RTP predict session, but according to the documentation there is still a requirement to have an APP-ID rule matching the RTP/RTCP traffic. We do have SIP AGL enabled (default setting) but I would think since my rule is so permissive (any/any source/dest) the SIP AGL functionality is irrelevant.

 

Edit: We are running 10.1.5-h1 and I have checked known issues, but didn't find anything that sounded relevant.

 

Any help is appreciated!

 

IanGraham_0-1704745546729.png

IanGraham_3-1704745826139.png

IanGraham_2-1704745786416.png

 

1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite

‎01-08-2024 01:15 PM

@IanGraham,

I've actually found in regards to RTP and RTCP that you actually do want to switch the service to any to reliably identify this traffic and have it match your policy appropriately. I'd want to scope that rule a bit better before making that change however since you've got it wide open at the moment. 

View solution in original post

(1)
2 REPLIES 2

Go to solution
BPry
Cyber Elite
Cyber Elite

‎01-08-2024 01:15 PM

@IanGraham,

I've actually found in regards to RTP and RTCP that you actually do want to switch the service to any to reliably identify this traffic and have it match your policy appropriately. I'd want to scope that rule a bit better before making that change however since you've got it wide open at the moment. 

(1)

Go to solution
ChrisHowell2
L0 Member

‎06-19-2024 09:08 PM - edited ‎06-19-2024 09:21 PM

This just helped me, I had a very similar situation on Prisma Access Global Protect for VPN users on a new VOIP project.

 

I had the new five9 voip rule above catch all deny all rule, confused why voip test calls would miss my new five9 voip rule. Watching logs saw hits but no counter in crease or mostly no hit on my new five9 voip rule at all passing it and hit the default deny any any rule and drop in summary. 

 

I added the vendor requested ports for five9 for UDP and TCP and everytime I added them into the rule it broke the app would stop hitting my rule for voip. 

 

The URL ports were good in another URL rule for this vendor as all the sites requested (about 20) were low risk computer info

 

It seemed the RTP and RTCP would fail

 

So I just used source: Prisma vpn user , destination vendor IP ranges from white paper, and then apps=RTP, RTCP, and SSL, Left URL Category checked on, and for service selected all since it was so dynamic.

 

It worked after the push the rule was being hit consistent, the drops stopped in the logs, and the app five9 when testing worked

0 Likes Likes
  • 1 accepted solution
  • 1719 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks