topic Re: Pc does not join into Domain in General Topics

Pc does not join into Domain

david_rivas1 — Fri, 01 Jun 2012 11:04:39 GMT

Hi,

I can not join into a domain when the computer pass through PA.

This is my scennario:

PC - PaloAlto - Switch - DomainController

The PC and Domain controller are in the same Zone (trust) and I have a security rule: from zone trust, to zone trust, permit all.

I can see a lot og kerberos v5 packet with bad checksum.

Regards,

Re: Pc does not join into Domain

npare — Fri, 01 Jun 2012 14:33:13 GMT

Hi,

Unless you have a deny all rule, you don't need a rule that specifies that from trust to trust is allowed. By default, any traffic staying in the same zone is allowed by the firewall.

Is the workstation in the same subnet as the domain controller?

Have you looked at logs for traffic originating from that source for a connection that could have been blocked? I would doubt it since it's same zone but it's good to check to be sure, there might be a block rule in your policy somewhere that blocks some of the connections.

I would also consider NAT, can the PC reach the domain controller and vice versa.

Re: Pc does not join into Domain

mikand — Fri, 01 Jun 2012 18:39:32 GMT

If this is a fresh install you need to setup "deny + log" as last rule (traffic is denied by default as hidden last rule but that hidden rule doesnt log the blocked traffic).

Re: Pc does not join into Domain

david_rivas1 — Fri, 01 Jun 2012 20:31:38 GMT

I have a default block rule for log all traffic. I do not see any block between trust and trust zone. I can see ldap and kerberos application allowed. Also I can see ldap acctive sessions in the Session log.

I configured the permit rule from/to trust zone. The Pc and DC are not in the same network, they are connected through layer 3 routing with static routes.

In the past I had troubles with multicast, this traffic was not displayed on traffic logs. I thank join into windows 2008 domain could use multicast traffic but I did not see it on the sniffed traffic on PC.

Regards,

Re: Pc does not join into Domain

david_rivas1 — Wed, 06 Jun 2012 16:26:05 GMT

I have mount a lab (DC - PaloAlto - Client), both on same zone and I got the same error. I tried without a explicit block roule and I tried with PanOS 4.0 and 4.1 with no success.

We finally decide to open a case to PaloAlto.

Regards,

Re: Pc does not join into Domain

david_rivas1 — Tue, 12 Jun 2012 15:23:23 GMT

I have done a packet capture and I see netbios packets dropped.

Re: Pc does not join into Domain

david_rivas1 — Thu, 09 Aug 2012 11:45:08 GMT

disabling session offload, the packets are cached by PaloAlto device.

Re: Pc does not join into Domain

mikand — Mon, 20 Aug 2012 22:14:47 GMT

What do you mean by that the are cached by the PA device?

Session offloading is as far as I understand a way to optimize resources of the FPGA/ASIC in the PA.

When you disabled session offloading I assume this is done globally, did you notice any other behaviour changes when you did this (performance decrease or such)?

Re: Pc does not join into Domain

david_rivas1 — Tue, 21 Aug 2012 06:52:23 GMT

I would mean, when I do a packet capture I do not see the kerberos pre-authentication packet, and If I do a port mirroring on the switch where is connected the PA or disabiling session offloading and lookin packet capture again, then I can see the kerberos pre-authentication packet.

I have a case opened in PaloAlto support to solve this problem.

Re: Pc does not join into Domain

mikand — Tue, 21 Aug 2012 07:41:16 GMT

Please keep us updated 🙂

To me it sounds like this preauth packet somehow is incorrectly dropped (didnt match any allow policy).

If possible, will it be dropped even if you use appid:any and service:any between the two ip addresses?

Re: Pc does not join into Domain

david_rivas1 — Tue, 21 Aug 2012 08:19:25 GMT

The packet is not dropped because when you use packet capture, you can choose different stages. If it was dropped it shoud appear in drop stage, and even if it is dropped or not it should appear on received stage and it does not appears in any stage. It only appears in received stage when I use no session offline.

The PaloAlto has a permit any any any ... and both sides of traffic are in the same security zone. Also multicast is allowed (but it is not a multicast traffic).

This case is only happening in one scenario. We tryed to reproduce it in a lab and we have not this problem.

Re: Pc does not join into Domain

mikand — Tue, 21 Aug 2012 08:38:14 GMT

Since its not reproducable, could it be that the packet have bad checksum or something?

Which with offloading would drop the packet straight away but with offloading disabled would hit the received stage (and then being discarded)?

Re: Pc does not join into Domain

david_rivas1 — Tue, 21 Aug 2012 08:58:03 GMT

Hello mikand,

In my wireshark capture (done using port mirroring in the switch) any packet does not show bad checksum error.

When I disable offloading the packet hit the received stage and pass through firewall and users complete the pre-authentication.

This case has appeared when I tried to change a Fortigate firewall with a PaloAlto. With Fortigate firewall the problem did not exists, like PaloAlto without offloading enabled.

This facts let us think it is a PaloAlto issue on his session hardware acceleration but only on this client, because we are not able to reproduce the scenario.

Re: Pc does not join into Domain

ftbaraoidan — Tue, 31 Aug 2021 03:11:40 GMT

Hi All,

I also experienced the same issue, do we have already solution on this one?