topic Re: RSH session issue passing through the Palo Alto in General Topics

RSH session issue passing through the Palo Alto

TranceforLife — Wed, 22 Jun 2016 11:04:35 GMT

Hi Guys,

Interesting one.

1x2.1x4.1x4.1x5 makes an initial connection using RSH the 192.168.0.20 then creates a separate RSH session back to the originating server but this always fails as the Palo seems to ignore the rule and NAT that is in place for this.

Any suggestions/advises are welcome.

Thanks

Re: RSH session issue passing through the Palo Alto

Raido_Rattameister — Tue, 21 Jun 2016 12:20:37 GMT

Have not worked with RSH but assuming that reverse connection ports are communicated in the beginning of session (similar to FTP) and this session is not decrypted on firewall (you are not doing SSH proxy) then how should Palo know what ports to open for return traffic?

Re: RSH session issue passing through the Palo Alto

TranceforLife — Tue, 21 Jun 2016 12:38:40 GMT

Hi Raido,

Correct. This session is similar to the FTP session.

Server in Management LAN ( 1x2.1x4.1x4.1x5) initiates a RSH session (port 514) to the 192.168.2.80 server. They agree another port for return (example tcp port 707). 192.168.2.80 opens a new session to the Server in Management LAN on agreed port.

Details of traffic:

Incoming from 1x2.1x4.1x4.1x5 to 1x2.1x4.1x9.2x2 using RSH
(Management) 1x2.1x4.1x4.1x5 (rsh 514) ----> 1x2.1x4.1x9.2x2 Bidirectional NAT ----> (NPS)192.168.2.80

Outgoing from 192.168.2.80 to 1x2.1x4.1x4.1x5 response to initial packet above connects back to authenticate on agreed port using RSH
(NPS) 192.168.2.80 (rsh 512-1023) ----> Bidirectional NAT 1x2.1x4.1x9.2x2 ----> 1x2.1x4.1x4.1x5 (Management)

Re: RSH session issue passing through the Palo Alto

Raido_Rattameister — Tue, 21 Jun 2016 13:06:06 GMT

NAT is not enough.

Security policy will probably take this traffic down.

Try to create allow any any from 192.168.2.80 to management LAN PC that initiates connection.

If it works then remove this any any rule and set up SSH proxy under decyption tab and test if it keeps on working.

Re: RSH session issue passing through the Palo Alto

nikoo — Tue, 21 Jun 2016 13:44:59 GMT

My guess it will not work as FTP, because it seems like Palo Alto does not have ALG for RSH. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/app-id/application-level-gateways

So reverse connection will not be opened automatically - NAT and security rules have to be in place. If you have that, try splitting NAT into two rules (do not use bidirectional), I stumbled upon strange behaviour of bidirectional rule once, but dunno if it the real problem.

Also try using CLI with #test nat-policy-match and #test security-policy-match to make sure the traffic is hitting it should be hitting. If it is not - check the rules. I think at least RSH should work without decryption in place.

Re: RSH session issue passing through the Palo Alto

Roby_Sreejith — Tue, 21 Jun 2016 14:07:02 GMT

Can you see the sessions are "PREDICT" in that case, you can try app override if ALG is creating issue.

Re: RSH session issue passing through the Palo Alto

TranceforLife — Tue, 21 Jun 2016 14:18:25 GMT

Hi Vieplis,

l appreciate all your comments.

So Palo will monitor FTP session/application and should open all agreed ports between client-server.

But why it doesn't for RSH. Initially, it is allowing, but the session that returns back with different ports traffic hits completely wrong rule.

Cheers

Re: RSH session issue passing through the Palo Alto

TranceforLife — Tue, 21 Jun 2016 14:17:31 GMT

Good point Roby. As the system is not alive cannot test it, tomorrow will have more time.

Re: RSH session issue passing through the Palo Alto

nikoo — Tue, 21 Jun 2016 14:30:31 GMT

Yes, for FTP Palo Alto has the knowledge for ALG to work properly and dynamically open data connections based on control traffic.

For RSH it does not have the knowledge of inner workings for RSH, so it does see the first connection and as NAT/Security rulles allows it through - it is allowed further. When RSH creates second session back, Palo Alto has no clue that this second session was derived from the first session - it sees it as a seperate connection and if there are no NAT/Security rules - it is denied. It will not hit the same security rule as first session (it should hit the bidirectional NAT rule though) unless it is configured to do so.

Do you have security rule for two way communication? Or just one rule to initiate first session?

Re: RSH session issue passing through the Palo Alto

TranceforLife — Wed, 22 Jun 2016 12:15:10 GMT

Policy from left>right

Management_to_Spock_Khan {
from Management;
source [ 1x2.1x4.1x4.1x5];
source-region none;
to NPS;
destination [ 1x2.1x4.1x9.2x1 1x2.1x4.1x9.2x2 ];
destination-region none;
user any;
category any;
application/service [ any/tcp/any/514 any/tcp/any/544 ];
action allow;
icmp-unreachable: no
terminal yes;

Policy from right>left

ASP_to_Management_Unix {

from NPS;
source [ 192.168.2.161 192.168.2.18 192.168.2.85 192.168.2.80 ];
source-region none;
to Management;
destination 1x2.1x4.1x2.0/21;
destination-region none;
user any;
category any;
application/service rsh/tcp/any/514;
action allow;
icmp-unreachable: no
terminal yes;

Re: RSH session issue passing through the Palo Alto

nikoo — Wed, 22 Jun 2016 07:53:42 GMT

Can you please post a traffic log example which is denied? So we can probably compare it to the security rules.

Re: RSH session issue passing through the Palo Alto

TranceforLife — Wed, 22 Jun 2016 12:17:15 GMT

Application override resolved the issue. Thank you all for the help