https://live.paloaltonetworks.com/t5/general-topics/allow-domain-services-through-pan-2050/m-p/38643#M28313 <HTML><HEAD></HEAD><BODY><P>Do you have any security profiles enabled? (I've noticed that joining a computer to the domain sets of the IPS/IDS if the profile is restrictive.)</P><P></P><P>Do you have any service/ports defined in the security policy? I've left mine to any because AD uses some many different ephemeral ports.</P><P></P><P>Edit: I checked my rule, and these are all the apps I have allowed for AD:</P><P>active-directory</P><P>dns</P><P>icmp</P><P>kerberos</P><P>ldap</P><P>ms-ds-smb</P><P>ms-netlogon</P><P>msrpc</P><P>netbios-dg</P><P>netbios-ss</P><P>ntp</P><P>ping</P><P>rpc</P><P></P><P>Message was edited by: Matthew Harding</P></BODY></HTML> Fri, 19 Oct 2012 17:51:39 GMT mharding 2012-10-19T17:51:39Z https://live.paloaltonetworks.com/t5/general-topics/allow-domain-services-through-pan-2050/m-p/38642#M28312 <HTML><HEAD></HEAD><BODY><P>I am trying to allow windows active directory services (2008 domain) through the firewall, in between zones.&nbsp; I have created my policy to allow the following applications:</P><P></P><P>active-directory</P><P>ms-ds-smb</P><P>msrpc</P><P>netbios-ss</P><P>dns</P><P>ms-win-dns</P><P>ms-wins</P><P>netbios-dg</P><P>ms-netlogon</P><P></P><P>I have created rules for bi-directional access. </P><P></P><P>I am unable to join a server to the domain however.&nbsp; I ran a packet capture and was seeing netbios traffic being dropped (UDP 137) but I have allowed several app-id applications that allow this protocol.</P><P></P><P>Any ideas?</P><P></P><P>Thanks!</P></BODY></HTML> Fri, 19 Oct 2012 17:19:44 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-domain-services-through-pan-2050/m-p/38642#M28312 UncleRico 2012-10-19T17:19:44Z https://live.paloaltonetworks.com/t5/general-topics/allow-domain-services-through-pan-2050/m-p/38643#M28313 <HTML><HEAD></HEAD><BODY><P>Do you have any security profiles enabled? (I've noticed that joining a computer to the domain sets of the IPS/IDS if the profile is restrictive.)</P><P></P><P>Do you have any service/ports defined in the security policy? I've left mine to any because AD uses some many different ephemeral ports.</P><P></P><P>Edit: I checked my rule, and these are all the apps I have allowed for AD:</P><P>active-directory</P><P>dns</P><P>icmp</P><P>kerberos</P><P>ldap</P><P>ms-ds-smb</P><P>ms-netlogon</P><P>msrpc</P><P>netbios-dg</P><P>netbios-ss</P><P>ntp</P><P>ping</P><P>rpc</P><P></P><P>Message was edited by: Matthew Harding</P></BODY></HTML> Fri, 19 Oct 2012 17:51:39 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-domain-services-through-pan-2050/m-p/38643#M28313 mharding 2012-10-19T17:51:39Z https://live.paloaltonetworks.com/t5/general-topics/allow-domain-services-through-pan-2050/m-p/38644#M28314 <HTML><HEAD></HEAD><BODY><P>Thanks!&nbsp; It looks like adding kerberos, rpc, and ldap seemed to do the trick.&nbsp; </P></BODY></HTML> Fri, 19 Oct 2012 20:43:20 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-domain-services-through-pan-2050/m-p/38644#M28314 UncleRico 2012-10-19T20:43:20Z