https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68732#M40036 <P>hm..maybe another rule above allows the connection. You can check this in your traffic log which rule is triggered. can you post your rule?</P> Fri, 27 Nov 2015 10:48:54 GMT iweltag 2015-11-27T10:48:54Z https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68731#M40035 <P>Hello,</P> <P>&nbsp;</P> <P>In or company i need to block the remote desktp access of a specific address to the critical server like database server.</P> <P>I add a security rule in the PA-500 by block (ms-rdp and t.120) applictions to a specific address by without any result.</P> <P>How could i blck the remote access&nbsp;?</P> <P>Please i need you help&nbsp;</P> Fri, 27 Nov 2015 10:35:34 GMT https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68731#M40035 RCHAIBI 2015-11-27T10:35:34Z https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68732#M40036 <P>hm..maybe another rule above allows the connection. You can check this in your traffic log which rule is triggered. can you post your rule?</P> Fri, 27 Nov 2015 10:48:54 GMT https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68732#M40036 iweltag 2015-11-27T10:48:54Z https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68741#M40037 <P>Hello,</P> <P>&nbsp;</P> <P>You find in the attachment a screnshoot of the recurity rules in the PAN&nbsp;</P> <P>&nbsp;</P> <P>Thank you&nbsp;<IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1391iEC90FF5357B9F469/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="security-rules.JPG" title="security-rules.JPG" /></P> Fri, 27 Nov 2015 11:28:45 GMT https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68741#M40037 RCHAIBI 2015-11-27T11:28:45Z https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68743#M40039 <P>you want to block same zome traffic? so if your client and server are on the same subnet the traffic will not forward to your palo alto (which is the default gw from your clients i think).</P> Fri, 27 Nov 2015 12:36:39 GMT https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68743#M40039 iweltag 2015-11-27T12:36:39Z https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68744#M40040 <P>Yes the servers and the clients desktop are in th same subnet , the same security zone . So , I can't block the traffic in this case with the PAN?</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 27 Nov 2015 13:06:38 GMT https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68744#M40040 RCHAIBI 2015-11-27T13:06:38Z https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68749#M40044 <P>If you can't put server to seperate subnet then you could&nbsp;do it&nbsp;with virtual wire or layer 2 setup.</P> <P>Keep in mind that traffic has to pass the firewall.</P> <P>If client and server are both connected to switch then they talk directly and traffic does not pass firewall and you can't block this traffic.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 27 Nov 2015 13:44:33 GMT https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68749#M40044 Raido_Rattameister 2015-11-27T13:44:33Z https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68752#M40045 <P>ok thank you, so i can &nbsp;this &nbsp;by configuring a virtual wire in the firewall , i connect the servers directly to the firewall or by usig another switch . It it in the zoe named "serverzone". Then, i add a security rules from "internal" rules to the&nbsp;<SPAN>"serverzone" by restrict the ms-rdp.</SPAN></P> Fri, 27 Nov 2015 15:04:56 GMT https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68752#M40045 RCHAIBI 2015-11-27T15:04:56Z https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68754#M40046 <P>It is best practise to have users and servers in diferent zones.</P> <P>What you could do at the moment is to add another layer 3 interface to same zone you have already (inside) and attach server directly to it.</P> <P>Multiple interfaces can be in same zone.</P> <P>But in this case your traffic from inside zone to inside zone passes firewall and you can control this traffic.</P> Fri, 27 Nov 2015 15:57:55 GMT https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68754#M40046 Raido_Rattameister 2015-11-27T15:57:55Z https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68797#M40060 <P>you could split up the user and server space by putting them in different VLANs and then using the firewall as bridge, that way you should be able to keep your subnet configuration</P> <P>&nbsp;</P> <P>please take a look at this guide: <A title="Getting Started: Layer 2 Interfaces" href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-2-Interfaces/ta-p/68229" target="_self">Getting Started: Layer 2 Interfaces</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 30 Nov 2015 11:11:33 GMT https://live.paloaltonetworks.com/t5/general-topics/block-the-remote-desktop-acces-with-palo-alto-network/m-p/68797#M40060 reaper 2015-11-30T11:11:33Z