Skype requires 'unknown-tcp'

JohnP · ‎07-27-2011

Why is 'unknown-tcp' an application dependency of Skype, is it possible to remove a dependency from a pre-defined application. Or do we have to setup an application overide?

I don't really want to allow unknown-tcp 'apps' just to allow someone to use Skype. And if something is unknown how does the Firewall match on something which is unknown?

Thanks

pkruse · ‎07-29-2011

The Palo Alto Firewall requires a varied number of packets to traverse the data plane in order to collect sufficient data to identify an application. The number of packets will vary from app to app. Several applications require unknown TCP and unknown udp traffic in order to establish a session. These unknown packets often are little more than a port scan used by the parent app to dynamically determine an available port for the session to run over. Skype and other P2P apps commonly use this method to find holes in a firewall.

~Phil

JohnP · ‎07-29-2011

Thanks for your response Phill

I was under the impression this was how the Firewall did it's application detection as standard.

let a few packets through watch for the return and then tag the application by the signature of the send / response traffic.

surely if i allow unknown-tcp as an application type on a policy, any application not referenced in the application list on the PA will be allowed through that policy. (or am I missing something here) I know there are a lot known applications but I'm assuming there are more unknown.

As for the port scaning ability of skype I thought that was handled by the "skype-probe" application thats why to effectively block skype you:

allow application skype-probe

block application skype

ChanceMaggard · ‎10-28-2011

JohnP,

I have run into the same issue as you have and have the same reservations with allowing unknown-tcp just to let someone use skype. This seems like a bigger security risk as there is bound to be quite a few 'unknown-tcp' apps that I don't want allowed by this rule. This could stem from my misunderstanding of exactly what unknown-tcp really is.

Right now I have Skype and skype-probe allowed without any issues to the user, but I still get the dependency warning for unknown-tcp for each commit.

Palo Alto,

Is it possible to get rid of the dependency error if skype is working?

What exactly does unknown-tcp allow besides a port scan for skype?

Thanks,

CMAGGAR

ggarrison · ‎10-28-2011

Due to the way Skype content is identified by our Content and Threat Detection engine, it may first be listed as "unknown-tcp," then undergo an application shift to "skype" or "skype-probe." The warning that you receive is just to notify you of this dependency, and is not actually an error. You will continue to receive this warning until the policy is adjusted to resolve the dependency, however it can safely be disregarded if you have the application functioning in your environment. "Unknown-tcp" traffic is any TCP traffic that does not match a signature from our content database. During the course of the session, it may shift to another application once it is successfully matched.

Skype requires 'unknown-tcp'

Skype requires 'unknown-tcp'

Show your appreciation!