Showing results for 
Show  only  | Search instead for 
Did you mean: 


Not applicable

We are a small university with a PA 2050. Since we installed the box, our XBOX live gamers have complained that they can't connect to XBOX live, or that if they ever DO connect, it takes a long time. The message they receive, in particular, is that their NAT setting was set to "strict".

I've allowed xbox traffic in the PA, I've even gone and specifically opened XBOX ports, but no luck. A last setting that Xbox live suggests is turning on UPnP, which doesn't seem to be an option in my PA, and even if it was, I wouldn't really want to enable because of the security problems that might cause.

Does anyone have any insight into this problem?



Accepted Solutions

We ended up solving the problem by having Xboxes on a vlan that gave them public IP addresses. This was the only way we found to not receive complaints from end users.  Even giving the 1-1 NAT addresses didn't work and we really didn't want to add all the manual static NAT rules.

View solution in original post


L3 Networker

I assume you are using a pool NAT, where multiple internal systems are NATed behind a single external NAT.  In this situation the XBOX NAT test will come back as strict.  This is normal and the XBOX should still work and users should still be able to connect and play games.  You shouldn't need the inbound ports open, because the PAN should detect the XBOX traffic and be able to handle the return traffic gracefully.

You're outbound policy should allow the XBOX live application out.  In the service column you should either be using application default or any.  You might want to create a specific policy allowing XBOX application only.

As a test you might try configuring a static (one-to-one) NAT for a device and see if this improves things.

What game are they having trouble with?

If you still have problems you should open a support case.

Thanks so much for your response. I think I understand the problem, based on your explanation, and I've updated the rule. However, when I commit the rule I'm told there's a Kerberos and web-browsing dependency. Should I be adding these to the rule as well?


Kerberos is an authentication protocol. So there is probably a separate session created for your XBOX Live login. They probably also exchange some information on port 80 so this is the "Web Browsing" requirement. As long as the XBox has the ability to Send/Receive web and Kerberos you will be OK. These can separate rules or one rule with all dependencies. Separation will give you better visibility if you need to investigate or run reports.

Steve Krall

I have learned from my son that 'strict' NAT (in the XBox term) only allows to access games in the internet, but not hosting a game. For hosting a game 'dynamic NAT' (in the XBox term) is necessary'.

We are similiar in that we just switched to a PA2020 from a PIX525 a week ago.

I believe this is a NAT problem, not a port/application problem.

On the Pix I was able to get the Xbox to show up as moderate NAT which is good enough for our students as achieving open is probably not safe or even possible in an enterprise network.

The three levels are strict, moderate, open.

I used my xbox originally when I setup game consoles to work on the PIX so I am going to bring my console back in soon and experiment with it directly.

If anyone has any success in solving this though, please let us know.  If I come up with a solution I'll update my post.


The XBox most definitely does use Kerberos traffic (it actually does use port 88) in communication with the Live servers, so you don't want to block that (and if you don't have a list-ending "Allow all," then you want to explictly add Kerberos for the Xboxen).  It wouldn't surprise me if some of the traffic decodes as http/web-browsing, although it may not necessarily use port 80.

In a typical home environment, the XBox will attempt to use UPnP to communicate to the router that it wants one single port open for itself. It will use a dynamic high-numbered port, and UPnP will simply forward this off the router back to the XBox.  It does a combination of TCP and UDP traffic over that port.

I have not gotten to try a PA device at home so I'm not sure how well the decoders and NAT functionality handle this process.  In the absence of UPnP, the XBox will never show "Open NAT" (unless there is a 1:1 NAT or some other setup in place where all of its traffic passes transparently).  At least, this has been my experience with a bunch of other firewalls.  I currently use a pfSense device at home, specifically because it does support UPnP (along with some enterprise grade features) so I can have my nerdy IT cake (RRDTool graphs and advanced rulesets) and eat it too (no problems with XBoxen or DirecTV receivers or the like due to UPnP).  pfSense even allows you to limit UPnP functionality to specific subnets/IPs, so I could potentially see it being an answer for a university (use DHCP to restrict your Xboxes to a specific subnet, and then only allow that subnet to use UPnP, and rate limit / traffic shape it so it is only good for game traffic and not bulk downloads).

After all of the hell I went through with bug #32846, I'd love for PA to send me a 500 with lifetime definitions to experiment with at home.  Smiley Wink

Did you ever get a solution?

I am have a simular issue but I can not get the xbox to even utilize the moderate setting.  I have open all ports and even the application settings.  I really think this is an issue with NAT and not the fireall blocking as I even tried ANY <> ANY.  Thanks.

Never really did. However, we have noticed that there are some games that have issues with this, and others that don't. We especially hear reports from Call of Duty players. But most others have no trouble whatsoever. So it seems like it is often linked to the game manufacturer.

Hi David,

in the XBox there is a function to test the connection and even with ANY,ANY, Allow and PANOS 4.1.3 it is not working.

Really annoying!

Even my 4 or 5 years old Checkpoint Box is capable of handling XBox Live, which my brand new PAN is not.

Just checking in to see if anyone has had success with the PAN-OS + XBOX LIVE and getting NAT to level OPEN or MODERATE?



The only way that we got to Open was to run inbound NAT on selected Xbox's. Fortunately we have multiple external IP Addresses we could NAT with

Not applicable

Has anyone been able to get this to work without the use of multiple public IP address for each Xbox 360?

This is what was posted as a resolution, I hardly believe this to be a resolution unless everyone cutover to IPv6 and I didn't know about it.


Create a static NAT entry to forward all external traffic destined to a particular public IP to the private IP of the Xbox360 device.

Each Xbox360 device behind the firewall will require a public IP and an appropriate NAT mapping.

For information on how to configure a static 1-to-1 destination NAT policy, or bi-directional NAT mapping please refer to the Understanding PAN-OS NATdocument.

We ended up solving the problem by having Xboxes on a vlan that gave them public IP addresses. This was the only way we found to not receive complaints from end users.  Even giving the 1-1 NAT addresses didn't work and we really didn't want to add all the manual static NAT rules.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!