topic Re: Having trouble granting access for an application in General Topics

Having trouble granting access for an application

pasmartin — Fri, 25 Jul 2014 11:50:55 GMT

Hi!

One of our customers have RDP access to a server, works like a charm.

And now I was about to grant access to an application using port 4850 and 4851, but it would seem that this wouldn't be that simple.

I've attached the NAT of the working RDP, and the non-working OPC application:

(I've also added the newly created application to the existing Security rule that allows RDP.)

I want to add that the newly created application has not been given any signatures - only properties, characteristics, timeouts and the ports itself. But even if the application somehow is "wrongly" created, at least the ports should be registered open?

Anyone have any clue as to what I might have forgotten, or rather have done wrong?

I'll provide more information if needed.

Re: Having trouble granting access for an application

pasmartin — Fri, 25 Jul 2014 12:30:52 GMT

Thought I found a solution, but this didn't work either:

Adding a Custom Application/Ports to Security Policy

Added the services without the RDP at first, noticing the connection was terminated, and was re-established when I added it. So there must be something I'm missing in regards to the other ports.

Re: Having trouble granting access for an application

ajbool — Fri, 25 Jul 2014 13:34:15 GMT

Create an "Application Override" policy for your new application for traffic destined to the server's IP and port....

Re: Having trouble granting access for an application

HULK — Fri, 25 Jul 2014 15:39:54 GMT

Hello Pred-martin,

(1) Could you please check, if there is any session available on the PAN firewall, Use CLI by using '>show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'. ( Collect the session ID)

(2) If there is a session exist for the same traffic, then please apply CLI command PAN> show session id XYZ >>>>>>>> to get detailed information about that session, i.e Application, port, NAT rule, security rule, ingress/egress interface etc.

(3) verify the global counters, if a specific "DRP" counter is increasing rapidly.

- Create a packet filter under GUI > Monitor > Packet capture

-Apply below mentioned command multiple times, while try to establish the RDP connection. ( with 2 seconds interval)

> show counter global filter packet-filter yes delta yes

The command show counter global provides information about the processes/actions taken on the packets going through the device; if they are dropped, nat-ed, decrypted etc. These counters are for all the traffic going through the device and are useful in troubleshooting issues; like packet loss. It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data.

For more information, you can follow the DOC What is the Significance of Global Counters?

(4) Could you please share the custom service details ( snapshot) for OPC-UA-4850, OPC-UA-4851, RDP-3390.

Hope this helps.

Thanks

Re: Having trouble granting access for an application

pasmartin — Thu, 31 Jul 2014 08:50:03 GMT

Sorry for my delayed response to your help.

I tried the Application Override, to no avail. I also conferred with a "local" support, who claimed everything looked like it should be.
As for your "CLI option", HULK, I didn't get any results. Don't know whether that was due to wrong input or something else, but I couldn't use more time on the issue, so I just added the external IP to the server in question, which solved everything. Guess I must have missed a detail in regards to the NAT-ing(?!), but the question is what. The setup was indentical to the working RDP.

Thanks anyway