topic Re: How to allow RDP with specific port. in General Topics

How to allow RDP with specific port.

ugalarosa — Thu, 07 Dec 2017 02:01:41 GMT

Good day.

I am new in handling firewall. We use juniper before (i did not setup).

Before we can remote access (remote desktop protocol) our network. I would like to setup that kind of connection again.

Before on the remote desktop connection, we just put IP Address:port number + domain account (authentication).

How to setup like that?

Thank you.

Best regards,

Uldridge

Re: How to allow RDP with specific port.

reaper — Thu, 07 Dec 2017 09:09:52 GMT

Hi @ugalarosa

Most likely your policy should look like this:

From source zone

to destination zone

application ms-rdp

service: a service object containing the appropriate port(s) for your rdp

action allow

profile: security profiles to scan your sessions for malicious content

Re: How to allow RDP with specific port.

BPry — Thu, 07 Dec 2017 17:47:54 GMT

@ugalarosa,

Do you already have GlobalProtect configured to actually allow users to VPN into the network, or was your Juniper simply setup with NAT statements to direct traffic to the proper desktop from the outside?

Generally for something like this you would setup GlobalProtect for allowing remote access into the network, and then your RDP port would actually be left alone and everyone would simply RDP to the hostname or the IP assigned to the host of their workstation. If you are using random RDP ports on the machines, then what @reaper has listed would need to be done to actually allow that access since you are not using the standard ports for the ms-rdp app-id.

If you were going to your Public IP address on specific ports to access your machine remotely, I would really recommend you switch to having users VPN into the network instead of opening up these ports for outside access. While the Palo Alto is perfectly capable of mimicing this configuration, if this is what you were doing, it is by no means a secure configuration at all.

Re: How to allow RDP with specific port.

ugalarosa — Fri, 08 Dec 2017 06:22:54 GMT

Hi @reaper,

Good day.

I tried to copy the policy as much as possible.

but I have some concern. (Sorry I am new to Palo Alto)

In the picture you send

Source:

zone: the is no "local". I can only choose from access, external, internal, ISP2, Trust, untrust. I not sure if I can create local. and if I can i dont know how.

Destination:

zone: same as above I do have remote. Only the the listed choices was there.

Destination/Source:

Address: I only want an specific IP address where the client PC can connect. Where will I input it at Source address or Destionation address?

Service

I created a service. Please check if my setting is correct.

Name: test

Description: blank

Protocol: TCP

Destionation Port: 12345 (sample only)

Source Port: blank

Tags: Blank

Also I tested.

Source zone: internal

Destination zone: access

address: any for both.

and i have this msg.

Status: Completed

Result: Failed

Details

In VSYS vsys1 from zone Internal of type vwire and to zone access of type layer3 are incompatible in security rule Remote Desktop Protocol
Configuration is invalid

Thank you.

Best regards,

Uldridge

Re: How to allow RDP with specific port.

ugalarosa — Fri, 08 Dec 2017 06:33:03 GMT

Hi @BPry,

I have read some items about globalprotect but I still dont understand how it works or how to configure.

Im new to this Palo Alto..

Im not the one who setup the Juniper so I dont know.

Is you could help me to find a step by step insturction how to remote my server. It will be a big help.

Thank you.

Best regards,

Re: How to allow RDP with specific port.

reaper — Fri, 08 Dec 2017 07:59:50 GMT

hi @ugalarosa

zones can be given any name you like to best reflect a topology that makes sense to you

in my lab i have my internal zone and my external zone, which makes it easier to illustrate what is where but you can have very different zones (dmz, lan, wan, ...). You can configure/review your zones in Network > Zones

I created the "getting started series" a while ago, you may want to check it out as it'll help you understand some concepts

your service looks perfect

the error message indicates you created a security policy that would allow sessions to flow between two incompatible interfaces

one of your zones is attached to a layer3 interface while the other is connected to a vwire, which is a "bump in the wire" directly between two interfaces

Please have a look at the getting started series and let me know if something is not clear yet

Re: How to allow RDP with specific port.

ugalarosa — Sat, 09 Dec 2017 01:52:29 GMT

Hi @reaper,

Good day.

I will check the guide you prepare. and will update this post.

Your assistance is highly appreciated.

Thank you very much.

Re: How to allow RDP with specific port.

ugalarosa — Fri, 15 Dec 2017 01:07:45 GMT

I havent solve my problem and I am coordinating with our local supplier/support but i can close this ticket and will try to post later what happen on my issue