I've some problems with skype instant messaging.
Sometimes the messages are not sent.
Checking firewall logs I see when messages are not sent an 'unknown-tcp' connection is denied.
Same destination port (but different ip) were used and recognized before as 'skype' connection
|Time||App||From||Src Port Source|
|Rule||Action||To||Dst Port Destination|
|Src User||Dst User|
|2012/11/06 11:19:26 skype||Zone1 52682||192.168.xxx.xxx|
|2012/11/06 11:19:56 unknown-tcp||Zone1 49727||192.168.xxx.xxx|
|blocca_navigazione deny||Zone2 12350||184.108.40.206|
It seems that PAN-OS was not able to identify correctly the connection.
For security reasons I cannot open 'unknown-tcp' connection.
Application and threat: 336-1565 2012-10-30
Yes but the signature could for example be something like (just guessing but as an example):
If skype-probe detected using dstip X and dstport Y and unknown-tcp shows up within Z minutes of initial connection towards the same dstip and dstport identify this as skype-message else identify as unknown-tcp.
Well unless PA broke the private keys of Skype thats the security problem you will face if you choose to allow Skype to traverse through your network and into the Internet.
Simply because Skype uses encryption and various ways to avoid being detected. For example not using a static ssl certificate or such.
Same goes with windowsupdate which is a similar problem. But in this case windowsupdate uses dedicated server certificates which if the ssl doesnt match the client will refuse to download anything from the ssl terminated server.
Now here is something strange for you all to wrap your head around: I have the very same problem, but in my case, all communication is allowed (there is a any-allow rule). Messages can't be sent, sometimes they have the status "pending" for forever (while the destination actually receives the message), replies don't come back.
yes and no. ssl forward-proxy but no blocking of sessions (the only thing being blocked in the decryption profile are expired certificates).
I am seeing tons of blocked *incoming* skype sessions though (from untrust to trust). my incoming policy is to deny all. but it shouldn't block incoming skype sessions that are "stateful", e.g. result from outgoing sessions. right?
Actually we don't use ssl-decryption and we have problems with allowing SkyPe.
We must allow SkyPe for some networks and block SkyPe for some networks. This did work fine before, with CheckPoint firewall and IronPort proxy, all was OK. CheckPoint blocked SkyPe totally, and SkyPe worked true proxy, using 443 port.
But this doesn't work with PaloAlto, v5.0.2.
I have checked the logs a lot, and seems that PaloAlto can detect Skype somehow 50/50. I also noticed, that destination IP -s, that PaloAlto detects as Skype, are sending ton's of packets back, but PaloAlto drops them all. This seems to be a bug.
Some users can't connect. Some can. Some can connect, send messages, but can't make calls, messages are delayed etc.
This is HUGE problem for us.
I tried everything with PaloAlto, even allow only 443 port for Skype, still without luck.
We tried upgrade SkyPe to the latest version, this is even worst for some users, seems PaloAlto can't detect SkyPe 6.1 properly.
I asked to open support case also.
Unfortunately you cannot block/allow skype for part of the users in the same network due to the nature of skype.... catchword Supernode. But there are some restrictions to Supernode , safest way is to disable the function through registry setting.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!