WirelessPhreak.com

I like to travel, f*ck with technology, and partake in the occasional tropical drink.
I am also a co-host on The NBD Show podcast.
Follow Me

Palo Alto Networks Firewall and Xbox Live



By   WirelessPhreak      Monday, January 21, 2019      Labels: , , , , , ,  

Symptoms

As people become more focused on securing their home network, the idea of a "enterprise" firewall for home use is not out of the ordinary. Of course, this focus has grown over time because of teleworking/job requirements but also because some people realize that securing their home network is just as important as securing their "enterprise" network. Of course for us gamers, this causes an issue. I have be given the benefit to use my own Palo Alto Networks (PAN) PA-220 firewall for home use. While the initial setup didn't cause any issues, I had one major issue which was almost make or break for keeping the PA-220. The issue of course was my Xbox One did not function properly and I could not update games, group chat, or do anything an Xbox One should do.

Issue

When connecting to the Xbox Live service or PlayStation Network the console establishes client connections to the service. When hosting some games, or using some applications, a connection from the Xbox Live service or PlayStation Network inbound to the console is required. If these inbound connections can not be established then the console will report that strict NAT has been detected.

The consoles are compatible with uPnP devices to allow dynamic opening of TCP and UDP ports to forward traffic required for connectivity to the service. uPnP-enabled routers allow port forwarding to be configured on the device dynamically based on requests coming from internal devices. In a uPnP environment, the console will request the appropriate ports be forwarded to allow the traffic.

Palo Alto Networks firewalls are not compatible with uPnP. Requests from a console via uPnP to open ports will be ignored by the firewall. A 1-to-1 static NAT mapping must be created to forward the appropriate ports to the console from the Xbox Live service or PSN.

Resolution

The following is my configuration setup to fix my Xbox One as well as other gaming consoles which need Universal Plug and Play (UPnP).

Quick Tangent: While UPnP is a great idea to make home networking easier, it opens up the inside resources to many potential attacks. At a basic level, UPnP allows devices to discover each other on the same network dynamically so that all devices can communicate with each other for data sharing and entertainment purposes. While this sounds good, the security risk is that UPnP also dynamically adds port forwarding to the home router without human invention. This dynamic port forwarding allows for any and all ports to have access inside the network from the outside Internet without no protection. It is for this reason that any "enterprise" firewall will NEVER support UPnP. Of course, when it comes to gaming and our relaxation time, we don't care about the risks we just want our games to work.

The following configuration assumes that all basic connectivity has already been configured on your PA-220. The following configuration is my current setup and has never had any issues since the day I configured it.

The below is an extremely basic PA-220 configuration but the security policy that I want to highlight is the Outbound-Xbox Rule.

All firewall polices are created under Polices>>Security>>Add

Note: The Outbound-Xbox NAT must be above the general Outbound Internet Rule otherwise the Xbox traffic will never hit the dedicated Xbox NAT rule (this to be created next).

Xbox Security Rule:

I configured my Xbox Security Policy to use the dedicated or reserved ip address, this will be the source address (Creating a DHCP address reservation is not covered in this article)

  • The source is my dedicated Xbox/Gaming reserved address as I only wanted to NAT my Xbox traffic

  • The destination is to my UnTrust Zone or Outside security zone.

  • Application: This is the bread and butter of Palo Alto's Next Generation Firewall

  • The list in the image below are the applications which I have fingerprinted at the time of this article. As applications default ports change and Microsoft adds more application, this field will need to be updated from time to time.
    • Please note: A Layer 4 firewall rule will work but what is the point in having a Ferrari in the garage if you're not going to use it to its potential.

  • Action; of course allow

All other options not covered

The below is an extremely basic PA-220 configuration but the NAT policy that I want to highlight is the Xbox_NAT rule.

All firewall NAT polices are created under Polices>>NAT>>Add

Xbox NAT Rule:

I configured my Xbox NAT Policy to have a dedicated source address (Creating a DHCP address is not covered in this article)
  • The packet source is from the Trust/Inside Network
  • The packet destination is to my UnTrust Zone or Outside
  • The packet destination interface is the interface facing my ISP/Dynamic Client
  • The source is my dedicated Xbox/Gaming reserved address as I only wanted to NAT my Xbox traffic
  • The packet destination and service are set to ANY as we want all traffic from the Xbox to be NAT'd

The FOLLWING IS THE SECRET TO FIXING ALL UPnP ISSUES
  • Translated Packet
  • The source translated packet must be a fixed static-ip address
  • The IP missing below MUST be the IP address given to your home "modem" now firewall by the ISP.
    • NOTE: If the address assigned to your Internet Layer3 link ever changes, this NAT rule MUST be updated. Since having this implemented for over a year, I have never had to change this address as the ISP want to be stable and followings the basic rules of DHCP. My ISP always assigned me the same address when my DHCP reservation renews
  • The last major configuration is to check "bi-drectional: yes".

If the above NAT rule and security policy are configured with the proper information, all UPnP issues with be a problem of the past. I have never had an issue except to add applications to my security policy from time-to-time. I have used this configuration on multiple PA-220s and it works every time without any issues. Without the above rules, some games might work but group chat will always be broken.

For information on how to configure a static 1-to-1 destination NAT policy, or bi-directional NAT mapping please refer to the Understanding PAN-OS NAT document.

Please enjoy and hopefully this will help anyone avoid the headaches and research that I went through along with trail and error. Also, hopefully this configuration will allow everyone, including myself, the ability to keep our games but also make sure we are securing and protecting on valuable resources on the inside of the network. With this configuration, we have the ability to function without any issues as well as protect the network from UPnP vulnerabilities that all gaming systems rely on; especially Xbox/Microsoft.

About WirelessPhreak

Just your everyday Packet Wrangler who enjoy's traveling and anything techie...