- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-06-2012 03:09 AM
Hi,
I've some problems with skype instant messaging.
Sometimes the messages are not sent.
Checking firewall logs I see when messages are not sent an 'unknown-tcp' connection is denied.
Same destination port (but different ip) were used and recognized before as 'skype' connection
For example
Time | App | From | Src Port Source |
Rule | Action | To | Dst Port Destination |
Src User | Dst User |
===============================================================================
2012/11/06 11:19:26 skype | Zone1 52682 | 192.168.xxx.xxx | ||
Skype | allow | Zone2 | 12350 | 78.141.179.16 |
user1 |
2012/11/06 11:19:56 unknown-tcp | Zone1 49727 | 192.168.xxx.xxx |
blocca_navigazione deny | Zone2 12350 | 78.141.179.12 |
user1 |
It seems that PAN-OS was not able to identify correctly the connection.
For security reasons I cannot open 'unknown-tcp' connection.
Any solutions?
Firewall PAN-500
OS: 4.1.7
Application and threat: 336-1565 2012-10-30
Thanks
Regards
02-12-2013 07:44 AM
Again I tested this scenario in my LAB. I allow skype for one particular AD user and block it for the rest
Only user A can connect
02-12-2013 07:51 AM
What SkyPe version You are using? Is it default or edited version? Did You test messages, voice, and video? Did You test between internal <> external or between internal <>internal users. What PAN os?
I also see, that wiyh such rules, like Yours, sometimes all works. One call gets true, next to same person fails. But as I have almost 10 000 users, then every call which fails, is a big issue.
02-12-2013 08:02 AM
Skype 6.1.0.129, default. messaging and voice is working (of course only for user A). I cannot test video no webcam avail. Tested with external contact. PAN OS 5.0.2 latest updates as mentioned above.
02-14-2013 12:20 AM
Hmm, about Your rules, why are You:
a) first deny unknow-udp and unknow-tcp for any?
b) allow skype-probe for any?
As I can't find the reason keeping skype-probe and skype in two different rules? I'm usind skype-probe and skype in one rule and below allow rule is deny rule for all.
02-14-2013 01:05 AM
ksuuk schrieb:
Hmm, about Your rules, why are You:
a) first deny unknow-udp and unknow-tcp for any?
Because I followed your rule to not allow any unknown apps in the first place.
b) allow skype-probe for any?
In order to control skype you have to allow skype-probe and then deny skype.
02-14-2013 01:12 AM
By manual, Yes skype-probe must be allowed for all, but I found, that it's not so mandatory. I'm using skype-probe and skype in one rule all next one is deny all.
02-14-2013 01:19 AM
Yes.
But for me the main problem is that when clients are using skype, I see a lot unknow-tcp and unknow-udp packed, which are dropped. Allowing them makes skype working but kills the firewall.
02-14-2013 12:17 PM
We're having pretty much the same problem and are looking for ways around the PA firewall. There are registry entries that can be set for Skype to use a proxy server. These settings can be applied trough GPO. There are only two issues:
- Notebooks...when they are outside the company network (with no active VPN tunnel) the internal proxy wouldn't be found and Skype could not connect.
- If using a SOCKS proxy the password would be transmitted in clear-txt over the network. If using HTTP connect proxy, Skype only supports Basic Authentication (no Digest!) with is more or less the same as Clear-txt...
Probably someone has an idea how to fix the first or even the 2nd issue as a workaround...?
02-18-2013 02:19 AM
At this point I'm 100% sure that the problem is in PAN skype-probe and skype app detection logic.
See the logs. If skype-probe app once detects traffic for some ip as skype-probe, the how is possible that next detection is as unknown-udp.
And how it takes 30 minutes ta match unknow-tcp as skype?
Same destination IP, close destination port range. It's a huge bug.
We need skype app update ASAP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!