OBi 200/202 no audio but call connects
After installing a Palo Alto PA-220 with standard policies, there were several things that were broken.
The offender was the default outbound policy to the internet/WAN. While the source/destination are any/any, the Service specified is application-default which basically means that if services are using non-standard ports they won't be allowed in this policy. There weren't any indications of dropped traffic in the logs, because default policies are not logged in Palo Alto devices by default, and this traffic was getting denied by the interzone-default policy.
To resolve this easily, just change application-default to any. However, you may want to see what else is being blocked, and potentially keep blocking some of that. To do so, you could do one of the following:
How to log traffic in default security policies:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHkCAK
Mostly I'm finding that this is catching SSL over ports other than 443. I'm sure there's a more elegant way to do this, but this is a learning experience for me.
What does application-default mean
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVwCAK
Application-default blocks speedtest.net
https://live.paloaltonetworks.com/t5/General-Topics/application-any-and-service-application-default-in-policy/td-p/258909
- VOIP phone through Google Voice/OBi analogue - no audio on any call (STUN over port 19305)
- Speedtest.net find server and tests would not complete (SSL over port 8080)
- Our washer and drier were no longer sending notifications when laundry was done (SSL over 46030)
- External Plex server (SSL over port 32400)
The offender was the default outbound policy to the internet/WAN. While the source/destination are any/any, the Service specified is application-default which basically means that if services are using non-standard ports they won't be allowed in this policy. There weren't any indications of dropped traffic in the logs, because default policies are not logged in Palo Alto devices by default, and this traffic was getting denied by the interzone-default policy.
To resolve this easily, just change application-default to any. However, you may want to see what else is being blocked, and potentially keep blocking some of that. To do so, you could do one of the following:
- log traffic in default security policies temporarily
How to log traffic in default security policies:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHkCAK
- Keep the outbound rule as application-default, and create a subsequent rule that denies all. This will log all the denies, and you can create granular rules for the devices/services that you want to allow.
Mostly I'm finding that this is catching SSL over ports other than 443. I'm sure there's a more elegant way to do this, but this is a learning experience for me.
What does application-default mean
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVwCAK
Application-default blocks speedtest.net
https://live.paloaltonetworks.com/t5/General-Topics/application-any-and-service-application-default-in-policy/td-p/258909
Comments
Post a Comment