Skype requires 'unknown-tcp'

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Skype requires 'unknown-tcp'

L1 Bithead

Why is 'unknown-tcp' an application dependency of Skype,  is it possible to remove a dependency from a pre-defined application.   Or do we have to setup an application overide?

I don't really want to allow unknown-tcp 'apps' just to allow someone to use Skype.  And if something is unknown how does the Firewall match on something which is unknown?



L4 Transporter

The Palo Alto Firewall requires a varied number of packets to traverse the data plane in order to collect sufficient data to identify an application. The number of packets will vary from app to app. Several applications require unknown TCP and unknown udp traffic in order to establish a session. These unknown packets often are little more than a port scan used by the parent app to dynamically determine an available port for the session to run over. Skype and other P2P apps commonly use this method to find holes in a firewall.


Thanks for your response Phill

I was under the impression this was how the Firewall did it's application detection as standard.

let a few packets through watch for the return and then tag the application by the signature of the send / response traffic.

surely if i allow unknown-tcp as an application type on a policy, any application not referenced in the application list on the PA will be allowed through that policy. (or am I missing something here)  I know there are a lot known applications but I'm assuming there are more unknown.

As for the port scaning ability of skype I thought that was handled by the "skype-probe" application thats why to effectively block skype you:

allow application skype-probe

block application skype


I have run into the same issue as you have and have the same reservations with allowing unknown-tcp just to let someone use skype.  This seems like a bigger security risk as there is bound to be quite a few 'unknown-tcp' apps that I don't want allowed by this rule. This could stem from my misunderstanding of exactly what unknown-tcp really is.

Right now I have Skype and skype-probe allowed without any issues to the user, but I still get the dependency warning for unknown-tcp for each commit.

Palo Alto,

Is it possible to get rid of the dependency error if skype is working?

What exactly does unknown-tcp allow besides a port scan for skype?



Due to the way Skype content is identified by our Content and Threat Detection engine, it may first be listed as "unknown-tcp," then undergo an application shift to "skype" or "skype-probe."  The warning that you receive is just to notify you of this dependency, and is not actually an error.  You will continue to receive this warning until the policy is adjusted to resolve the dependency, however it can safely be disregarded if you have the application functioning in your environment.  "Unknown-tcp" traffic is any TCP traffic that does not match a signature from our content database.  During the course of the session, it may shift to another application once it is successfully matched.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!