Skype is not Blocked for Computers Entering Network with Skype Already Signed In

Skype is not Blocked for Computers Entering Network with Skype Already Signed In

13348
Created On 09/25/18 18:40 PM - Last Modified 02/07/19 23:51 PM


Resolution

Issue

The Palo Alto Networks firewall does not block Skype for computers that are brought into the network with Skype already signed in.

Resolution

Recent changes to the Skype Application requires that "msn-base" be blocked for Skype. Create security policies under Policies > Security as illustrated in screenshot below to completely block Skype. In short, the second policy in the screenshot allows "skype-probe" and the third policy denies both "skype" and "msn-base".

Skype_BLocked.png

The Skype application has three dependencies:

Screen Shot 2015-02-05 at 9.42.39 AM.png

The reason for the msn-base in dependency list is that Skype uses msn-base to authenticate against Microsoft servers. This dependency was introduced after Skype was acquired by Microsoft.

Note: This is a short term solution. Completely blocking Skype is an active work in progress to enhance Skype identification without relying on blocking other applications.

owner: jlunario



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQWCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language