Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Skype blocking

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Skype blocking

L3 Networker

I have found in testing that with blocking, the application 'skype' and 'skype-probe' if the user is not logged in the policy will block the user from signing into skype, but if the user is already signed into skype and plugs in behind the palo policy, the traffic log shows skype being blocked, but the user is still able to IM.  Am I missing something?

15 REPLIES 15

L5 Sessionator

Hi Markk96,

Make sure you have enabled "Rematch Sessions" under Device -> Setup -> Session and commit. Test again and see if you get similar results. Thank you.

Rematch Sessions is already checked.  Anything else to check?

L5 Sessionator

Hi markk96

As per this article: How to Block SKYPE you should not block skype-probe: "Skype-probe needs to be allowed. Skype-probe runs over port 80 and is used to setup initial connections. When Skype-probe is blocked, the application will encrypt the communication and start using alternate open ports which is why it needs to be allowed."

Have you already tried that ?

L5 Sessionator

I removed skype-probe, i added msn-base, but still it is working, i guess when I get in the lab i will test this out further with unknown tcp and udp.

Thanks for the update, do let us know how it goes Smiley Happy

I have tried, blocking skype, msn base, unknown tcp and udp, but chat still works, even tho skype looks like it is spinning, I am able to send and receive IMs.

HI Mark,

What application does firewall identify for chap? It would be great if you can provide us output for "show session id <>"

Regards,

Hardik Shah

It looks like now it is going out on Insufficent-data.  Not sure how to block that other then the tcp port.

Hi Mark,

In-sufficient data means firewall has not yet identified application. Firewall needs more packets for identification.

Firewall should detect application in some time.

Regards,

Hardik Shah

Have you tried changing the service from "application-default" to "any" for those security rules ?

I just changed it an no difference, uknown tcp was on port 37777 but now it is blocked and now it is insufficent data on port 37777, if i block the port, it just uses a different one.

markk96 I see you have mentioned earlier that you removed "skype-probe" so is it not mentioned in any of the security rules ?

skype-probe should be allowed in one of the security rules for it to work as mentioned in the document.

Skype-Probe is allowed via another policy rule.

  • 5678 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!