Why is 'unknown-tcp' an application dependency of Skype, is it possible to remove a dependency from a pre-defined application. Or do we have to setup an application overide?
I don't really want to allow unknown-tcp 'apps' just to allow someone to use Skype. And if something is unknown how does the Firewall match on something which is unknown?
The Palo Alto Firewall requires a varied number of packets to traverse the data plane in order to collect sufficient data to identify an application. The number of packets will vary from app to app. Several applications require unknown TCP and unknown udp traffic in order to establish a session. These unknown packets often are little more than a port scan used by the parent app to dynamically determine an available port for the session to run over. Skype and other P2P apps commonly use this method to find holes in a firewall.
Thanks for your response Phill
I was under the impression this was how the Firewall did it's application detection as standard.
let a few packets through watch for the return and then tag the application by the signature of the send / response traffic.
surely if i allow unknown-tcp as an application type on a policy, any application not referenced in the application list on the PA will be allowed through that policy. (or am I missing something here) I know there are a lot known applications but I'm assuming there are more unknown.
As for the port scaning ability of skype I thought that was handled by the "skype-probe" application thats why to effectively block skype you:
allow application skype-probe
block application skype
I have run into the same issue as you have and have the same reservations with allowing unknown-tcp just to let someone use skype. This seems like a bigger security risk as there is bound to be quite a few 'unknown-tcp' apps that I don't want allowed by this rule. This could stem from my misunderstanding of exactly what unknown-tcp really is.
Right now I have Skype and skype-probe allowed without any issues to the user, but I still get the dependency warning for unknown-tcp for each commit.
Is it possible to get rid of the dependency error if skype is working?
What exactly does unknown-tcp allow besides a port scan for skype?
Due to the way Skype content is identified by our Content and Threat Detection engine, it may first be listed as "unknown-tcp," then undergo an application shift to "skype" or "skype-probe." The warning that you receive is just to notify you of this dependency, and is not actually an error. You will continue to receive this warning until the policy is adjusted to resolve the dependency, however it can safely be disregarded if you have the application functioning in your environment. "Unknown-tcp" traffic is any TCP traffic that does not match a signature from our content database. During the course of the session, it may shift to another application once it is successfully matched.
So to use skype you have to allow unknown-tcp which will allow any application/virus/trojan/malware that is not in your database to run unhindered.
The main point of a firewall is to allow certain activity and block anything else - especially stuff you don't know what is.
Guy. You need to come up with a better solution.
Rumours says (at least the ones I have heard :P) that PANOS 5.0 will somewhat address this dependency jungle out there so you wont need to open up more than necessary.
For example where you today must open web-browsing + facebook (which would allow basically any HTTP surfing which doesnt have its own appid) in a single rule you then will only need to open for just facebook. The PA would then allow a couple of web-browsing packets, enough to identify facebook and if its still not identified after a couple of packets it would deny the session.
However if this is true or not or even involves the skype detection I dont know, hopefully someone from PAN can answer this?
Otherwise I totally agree with you.
One of (many) good things with using a PA box is the ability to block unknown traffic. But this will be spoiled if you are forced to allow unknown just to make detection of (for example) skype (among others) to work.
But this whole appid stuff (no matter if its the one PAN uses or from some other vendor) is a bit sketchy - thats why you should NEVER allow "service:any" even if you use appid but set at least "service:application-default" or even better manually define which ports should be allowed.
A simple test you can do on your own is if you allow web-browsing to any port for a server. Your "http-like" request can be "a b c" (that is a[space]b[space]c) followed with two enter strokes. This packet will bypass your PA and hit your server. Not until the server replies with "Error 400, Bad Request" the PA will know that "oh this was supposed to be web-browsing but doesnt look anything like it" and block the response from the server to reach the client (and at the same time drop the whole session).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!