topic Re: Having problems with TCP port allowance in General Topics

Having problems with TCP port allowance

ruiptoliveira — Tue, 12 Mar 2024 23:22:55 GMT

Good morning/afternoon/night to everyone.

I'm using for the first time Palo Alto Firewall and I'm having some troubles allowing TCP port 2245.

At the moment I have this NAT Rules:

and I have this Security Rules:

PS: note that I also have some rules for TCP/UDP ports related to WHM and cPanel.

Can someone tell me if I'm doing something wrong?

Other important infos

gp-public and gp-public-2 are the two public IP addresses that are associated to the server
mainCyber_Private is the private IP for the server
Monitor:
I don't have a "private firewall" on the server
The server is listening on that port and that port can be accessed internally:

Re: Having problems with TCP port allowance

JayGolf — Wed, 13 Mar 2024 05:39:55 GMT

Hi @ruiptoliveira ,

From a quick glance, your NAT and Security Policy looks good. I'm assuming one of those IPs in the destination is the true source IP (internal) of the server and I see the traffic is being allowed.

If you click on detailed log view of the traffic, can you verify NAT is forwarding to the correct private IP. Also check if the traffic shows it show bytes sent, but not returned? If none are being returned then there could be an issue with the traffic getting down to the private server or an issue with the private server itself. Do you have any L3 devices between the firewall and the server? I see the localhost test shows the server is listening on the service port. Can you test from another host that doesn't traverse the Palo to get to the server? If that test works, could you run a tcpdump on the private server to see if you see the forwarded packets getting there? If so, I would verify that the server has a default gateway configured so it knows to point the return traffic up through your Palo since I see the public true source IP will be going through the Palo. You can test out L3 issues by applying a SNAT translation to the inside interface of your Palo and see if your traffic is successful then.

Re: Having problems with TCP port allowance

JoergSchuetter — Wed, 13 Mar 2024 07:46:44 GMT

Hello

The NAT rule let me assume, that you are using IPv4. On the other hand the "curl" command was using IPv6. Is the given port reachable w/ IPv4 as well?

Re: Having problems with TCP port allowance

ruiptoliveira — Sat, 16 Mar 2024 16:28:24 GMT

Hello Jay,
Hope everything's good with you and your family/friends.

I've followed your advice to check the detailed logs of monitor (to be honest, for some reason, I never went there), and I found something that I think is odd (the source port is 51238 and I'm not sure if it is supposed to be like this since I'm searching on the web for DOMAIN.COM:2245 or using Postman for the domain:2245 or ip:2245).

Re: Having problems with TCP port allowance

ruiptoliveira — Sat, 16 Mar 2024 16:31:18 GMT

Hey Joerg,
Hope everything is okay with you and your family.

I'm not sure if I understood your question, but I think I did.
I've internally tested the port for the local IPv4 (127.0.0.1) and it works just fine.