topic Re: How to configure PAN to allow for SFTP traffic over public ip in General Topics

How to configure PAN to allow for SFTP traffic over public ip

KarthikMuthukrishnan — Sun, 03 Mar 2019 09:54:21 GMT

Hi ,

How to configure PAN to allow for the SFTP traffic over public ip.

Thanks

Re: How to configure PAN to allow for SFTP traffic over public ip

Remo — Sun, 03 Mar 2019 21:06:16 GMT

From internal to the internet or from the internet to a host in your internal network?

In both cases you need a NAT rule and a security policy rule that allows ssh.

Re: How to configure PAN to allow for SFTP traffic over public ip

KarthikMuthukrishnan — Mon, 04 Mar 2019 06:49:07 GMT

Thanks for your reply , I am new to this process.

Working on a task to migrate existing DMZ traffic from ASA to Palo alto.

I was told to Configure the PAN to allow for the SFTP traffic over an public IP, no idea about it.

that means redirecting the traffic to public ip ? please give me details configure note.

Thanks in advance

Re: How to configure PAN to allow for SFTP traffic over public ip

Remo — Sat, 09 Mar 2019 17:43:58 GMT

What exactly do you try to configure? Allow sftp from internal/dmz to the internet or from the internet to an internal or dmz server? If from internet, does your server have a punlic or private IP?

In order to let the community help you need to give us some more informations about the situation.

Re: How to configure PAN to allow for SFTP traffic over public ip

KarthikMuthukrishnan — Mon, 11 Mar 2019 12:13:18 GMT

Hi,

Configuration to allow aftp from dmz to internet .

Thanks

Re: How to configure PAN to allow for SFTP traffic over public ip

Remo — Mon, 11 Mar 2019 17:15:47 GMT

Hi @KarthikMuthukrishnan

Does your DMZ server have a private IP? If yes then you need a security policy rule that allows ssh from your DMZ server zone and IP to the internet. In addition you need a NAT rule with the source your dmz server zone/ip as source and the internet zone as destination. In the translated address tab configure dynamic ip and port and interface IP. There you chose your internet facing interface and the corresponding IP.

Re: How to configure PAN to allow for SFTP traffic over public ip

KarthikMuthukrishnan — Thu, 14 Mar 2019 12:20:31 GMT

Hi,

I did create a NAT policy where both source and destination are untrust zones, source - any, destination is public ip and destination address translation is private IP ( sftp Ip ) . hope I am right.

policy :

source : untrust , ip address : any

destination : trust , ip address :not sure which IP i sho uld give sftp private IP or public ip .

application : any , service : sftp , action allow

Thanks

Re: How to configure PAN to allow for SFTP traffic over public ip

OtakarKlier — Thu, 14 Mar 2019 21:12:05 GMT

Hello,

Check out this article, it may help out:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC

Regards,

Re: How to configure PAN to allow for SFTP traffic over public ip

KarthikMuthukrishnan — Mon, 18 Mar 2019 12:49:32 GMT

Hello,

Thanks for the link... I read few documents

Looks like this will exactly serve my purpose.

I am adding new external ip (public ip) and point it to the existing sftp ip (private ip ) . Correct me if I am wrong.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping