This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Unlock your full community experience!
- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Showonly | Search instead for
Did you mean:
Announcements
- LIVEcommunity
- Discussions
- General Topics
- The Mysterious "stun" application
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
The Mysterious "stun" application
L4 Transporter
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-06-201709:11 AM
Does anyone have a understandable explaination of this application called "stun" from what I can gather its used for things like skype and facetime, but it generates a lot of traffic in my network. While yes we are lync/skype in house and there are the occosional calls out to the internet, I see this application going out to google public IPs on port 19305 and 19302, I see ports 5055 being used as well. How do you control this application?
0 LikesLikes
4 REPLIES 4
Cyber Elite
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-06-201709:53 AM
Applipedia will help you out here a lot.
"Simple Traversal of User Datagram Protocol is a network protocol allowing a client behind a NAT (or multiple NATs) to find out its public address."
You'll see stun utilized alot for different applications and such as it is currently the best way of determining the clients public IP address and detecting whether or not it is behind a NAT or not. SIP, WebRTC and others rely on it pretty heavily. If you are running Skype internally you should be seeing a TON of Stun traffic, iPhones will generate a bit as well because of FaceTime, and depending on the applications on the device you can expect a lot to come from Android devics as well.
Stun by itself really isn't dangerous so there really isn't much control to be done, at least to my eyes. Allow it outside your network on application default ports and if your Skype infrastructure is generating too many logs in your eyes setup a security rule to simply not log traffic going to your Skype servers.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-06-201709:57 AM
So I have a rule to allow stun applicaiton on application default service ports but i see it hitting my allow all at the end of the list on different ports. So should I allow "any" on the service ports section?
0 LikesLikes
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-09-201702:18 PM
Kind of up to you at that point. Where exactly are you seeing the 'stun' traffic, from Trust to Untrust? I would first start to look at the logs and see if you can narrow this down to a more specific source or destination rule.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-04-202408:22 AM
Palo Alto doesn't do that great of a job identifying traffic unless you are running a cert store and issuing a cert to every device on your network. We in education see STUN used mostly for MS Teams and Facetime in which Palo Alto has app identifiers for but since we don't run a cert store, all traffic can't be fully decrypted and identified properly by app id. A better suggestion might be to setup a QOS with low real-time bandwidth and create a QOS rule for STUN to use that low bandwidth and see who screams and then find out what they are doing and see if it is allowed traffic or not. Most of the time you will find it is all personal and not business related unless you rely heavily on VOIP apps like Skype, MS Teams, WebEx, SIP phones, etc.
- 43308 Views
- 4 replies
- 0 Likes
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
Related Content
- List of App-IDs that require decryption in Next-Generation Firewall Discussions
- Capwap Active Sessions in 2 ISP topology in Next-Generation Firewall Discussions
- Submit an application to Applipedia in General Topics
- Cortex XDR Certificate enforcement for Windows and macOS endpoints in Cortex XDR Discussions
- Connection Aged to archive.apache.org, but works through another PA firewall in Next-Generation Firewall Discussions