https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/191974#M57736 <P>Thanks for your advise.</P><P>&nbsp;</P><P>I have configured with both zones as untrust, but not working. While checking from Rule-50 log, I noticed all traffics are denied. If I open Rule-20 log viewer, no traffic there.</P><P>&nbsp;</P><P>Is there any rule need to be created before Rule-50, for return traffic from destination to source to accept for Rule-20.</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 17 Dec 2017 10:55:03 GMT meshbah 2017-12-17T10:55:03Z https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/191965#M57734 <P>I am working to configure our new Palo Alto Firewall. In the policy section, I have configured one policy to allow RDP service (3389) using souce &amp; destinaion IP address (Rule-20) and configured another rule (Rule-50) to deny all traffic.&nbsp;</P><P>&nbsp;</P><P>Below is the summary of config-</P><P>&nbsp;</P><P>Rule-20:</P><P>Source IP: 192.168.10.20</P><P><SPAN>Dest IP: 192.168.15.20</SPAN></P><P><SPAN>App: RDP (3389)</SPAN></P><P><SPAN>Action: Allow</SPAN></P><P>&nbsp;</P><P>Rule-50:</P><P>Source IP:&nbsp;any</P><P><SPAN>Dest IP:&nbsp;any</SPAN></P><P><SPAN>App:&nbsp;any</SPAN></P><P><SPAN>Action: Deny</SPAN></P><P>&nbsp;</P><P><SPAN>But, the traffic policy is not working. I thin, there should one rule for the return traffic. But, I am unable to configure it.</SPAN></P><P>&nbsp;</P><P><SPAN>Need your advise to fix it.</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Meshbah</SPAN></P> Sun, 17 Dec 2017 08:48:43 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/191965#M57734 meshbah 2017-12-17T08:48:43Z https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/191973#M57735 <P>If you are passing traffic from untrust to trust zones you are also going to need a NAT rule as well as the security rule to make this work.</P><P>It would be a like this.</P><P>Source zone and destination zone = both untrust</P><P>Destination address = 192.168.10.20</P><P>Service RDP tcp port 3389 ( you may need to create this in objects, services)</P><P>Destination translation = 192.168.15.20</P><P>&nbsp;</P><P>This is assuming these are on different network subnets.</P> Sun, 17 Dec 2017 10:07:36 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/191973#M57735 ChrisRead 2017-12-17T10:07:36Z https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/191974#M57736 <P>Thanks for your advise.</P><P>&nbsp;</P><P>I have configured with both zones as untrust, but not working. While checking from Rule-50 log, I noticed all traffics are denied. If I open Rule-20 log viewer, no traffic there.</P><P>&nbsp;</P><P>Is there any rule need to be created before Rule-50, for return traffic from destination to source to accept for Rule-20.</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 17 Dec 2017 10:55:03 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/191974#M57736 meshbah 2017-12-17T10:55:03Z https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/191979#M57737 <P>If your traffic is missing rule 20 and hitting your deny all at rule 50, There is something about your traffic that done not match rule 20. Make sure the service you specified in the NAT rule is also added to the security rule.</P><P>The NAT rule is untrust to untrust and the security rule is untrust to trust.</P><P>&nbsp;</P><P>Chris</P> Sun, 17 Dec 2017 15:51:37 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/191979#M57737 ChrisRead 2017-12-17T15:51:37Z https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/192008#M57742 <P>I may be missing something but your original post does not mention this is a connection coming from outside, so am wondering if NAT is even necessary?</P> <P>&nbsp;</P> <P>Could you check your log file to see which zones are associated with 192.168.10.20 and 192.168.15.20? you may need to set the correct zones in your policy (this is a zone based firewall so zones are very important)</P> <P>How did you set the service in your rules? application default or a specific service</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>FYI you don't need to create return rules, every flow is created bidirectionally and will accept returning packets automatically</P> Mon, 18 Dec 2017 07:33:38 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/192008#M57742 reaper 2017-12-18T07:33:38Z https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/192022#M57744 <P><SPAN>It works now. I had created a application rule based on destination port, which was not compatible. However, there was already built in app on required port. After configured on that app, it works now. Thanks for your support.</SPAN></P> Mon, 18 Dec 2017 08:40:40 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-policy/m-p/192022#M57744 meshbah 2017-12-18T08:40:40Z