https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230846#M66309 <P>Hello all,</P><P>&nbsp;</P><P>I have a problem with palo alto PA-850. I configure domain controllers and end users diference zone. example: zone name: Server for domain controllers, and zone: User for end users.</P><P>&nbsp;</P><P>I setup policy to allow all traffic from Zone: Server to Zone: User and from User to Server. but end users could not authenticate with domain controllers.&nbsp; I checked in traffic logs: To-Port: 135, 445, Aplication: Incomplete. Please help to advise</P><P>&nbsp;</P><P>thanks</P> Fri, 14 Sep 2018 13:08:29 GMT Chivas 2018-09-14T13:08:29Z https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230846#M66309 <P>Hello all,</P><P>&nbsp;</P><P>I have a problem with palo alto PA-850. I configure domain controllers and end users diference zone. example: zone name: Server for domain controllers, and zone: User for end users.</P><P>&nbsp;</P><P>I setup policy to allow all traffic from Zone: Server to Zone: User and from User to Server. but end users could not authenticate with domain controllers.&nbsp; I checked in traffic logs: To-Port: 135, 445, Aplication: Incomplete. Please help to advise</P><P>&nbsp;</P><P>thanks</P> Fri, 14 Sep 2018 13:08:29 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230846#M66309 Chivas 2018-09-14T13:08:29Z https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230853#M66310 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/97490">@Chivas</a>,</P> <P>&nbsp;</P> <P>Try following the packet with PCAPs (is the server actually getting the packet ? Is the server returning the packet correctly ?)</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711</A></P> <P>&nbsp;</P> <P>Good luck !</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Fri, 14 Sep 2018 13:44:30 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230853#M66310 kiwi 2018-09-14T13:44:30Z https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230865#M66315 <P>hi Kiwi,</P><P>&nbsp;</P><P>I checked in PCAPs, the server is not getting the packet. but from client, I can ping or tracert to the server, even access network share on the server. just cannot authenticate when end users login. Please help to advise, do I need to configure any thing</P><P>&nbsp;</P><P>the rule i setup:</P><P>&nbsp;</P><P>active-directory {</P><P>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&nbsp;source zone: User;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source&nbsp; address: any;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; user any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; destination zone: Server;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; destination address: any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;category any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; application any;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; service any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; action allow;</P><P>}</P><P>&nbsp;</P><P>thanks</P><P>&nbsp;</P> Fri, 14 Sep 2018 14:48:53 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230865#M66315 Chivas 2018-09-14T14:48:53Z https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230869#M66317 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/97490">@Chivas</a>,</P><P>What if you actually look at the session ID in the CLI; does that give you any additional insight. Your security policy looks fine as the only thing you are really doing is analyzing the zones.&nbsp;&nbsp;</P> Fri, 14 Sep 2018 14:55:27 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230869#M66317 BPry 2018-09-14T14:55:27Z https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230877#M66319 <P>Hello,</P><P>Application incomplete in my experience has been a routing issue. If they are on different subnets, e.g. useres and servers, make sure the routes are in place.</P><P>&nbsp;</P><P>Regards,</P> Fri, 14 Sep 2018 16:37:21 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/230877#M66319 OtakarKlier 2018-09-14T16:37:21Z https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/231178#M66381 <P>Thank Klier, I fixed my problem.</P> Tue, 18 Sep 2018 02:42:20 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/231178#M66381 Chivas 2018-09-18T02:42:20Z https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/429172#M94842 <P>What was the fix?</P> Wed, 25 Aug 2021 16:12:22 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-zone-between-end-users-and-domain-controller-on-palo/m-p/429172#M94842 Networking2017 2021-08-25T16:12:22Z