Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-07-2014 09:26 AM
I have found in testing that with blocking, the application 'skype' and 'skype-probe' if the user is not logged in the policy will block the user from signing into skype, but if the user is already signed into skype and plugs in behind the palo policy, the traffic log shows skype being blocked, but the user is still able to IM. Am I missing something?
10-07-2014 09:32 AM
Rematch Sessions is already checked. Anything else to check?
10-07-2014 09:35 AM
Hi markk96
As per this article: How to Block SKYPE you should not block skype-probe: "Skype-probe needs to be allowed. Skype-probe runs over port 80 and is used to setup initial connections. When Skype-probe is blocked, the application will encrypt the communication and start using alternate open ports which is why it needs to be allowed."
Have you already tried that ?
10-07-2014 09:42 AM
Please also go through this document: Skype is not Blocked for Computers Entering Network with Skype Already Signed In
10-07-2014 10:15 AM
I removed skype-probe, i added msn-base, but still it is working, i guess when I get in the lab i will test this out further with unknown tcp and udp.
10-07-2014 10:17 AM
Thanks for the update, do let us know how it goes 
10-07-2014 10:26 AM
I have tried, blocking skype, msn base, unknown tcp and udp, but chat still works, even tho skype looks like it is spinning, I am able to send and receive IMs.
10-07-2014 10:28 AM
HI Mark,
What application does firewall identify for chap? It would be great if you can provide us output for "show session id <>"
Regards,
Hardik Shah
10-07-2014 10:30 AM
It looks like now it is going out on Insufficent-data. Not sure how to block that other then the tcp port.
10-07-2014 10:31 AM
Hi Mark,
In-sufficient data means firewall has not yet identified application. Firewall needs more packets for identification.
Firewall should detect application in some time.
Regards,
Hardik Shah
10-07-2014 10:32 AM
Have you tried changing the service from "application-default" to "any" for those security rules ?
10-07-2014 10:40 AM
I just changed it an no difference, uknown tcp was on port 37777 but now it is blocked and now it is insufficent data on port 37777, if i block the port, it just uses a different one.
10-07-2014 10:45 AM
markk96 I see you have mentioned earlier that you removed "skype-probe" so is it not mentioned in any of the security rules ?
skype-probe should be allowed in one of the security rules for it to work as mentioned in the document.
10-07-2014 11:03 AM
Skype-Probe is allowed via another policy rule.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
