topic Re: Allow workstations to join domain controller in General Topics

Allow workstations to join domain controller

FoxOnTheRun — Wed, 26 May 2021 10:48:52 GMT

I am new to palo alto firewall. I have to configure the firewall rules to allow workstation to join the domain controller. The workstation is placed in LAN zone while the domain controller is placed in SRV zone. I have added the rule to allow LAN zone to authenticate with SRV zone using 'active directory' application and 'application-default' service, as well as 'dns' application. However, the workstation is unable to join the domain controller because the domain controller was unreachable. When I tried to allow all applications and service from LAN zone to SRV zone, the computer has no issue reaching the domain controller. I am not sure what I am doing wrong here and would appreciate some help.

Re: Allow workstations to join domain controller

Mick_Ball — Wed, 26 May 2021 16:03:56 GMT

set your rule back to what you think it should be. then add a rule directly below blocking all from LAN zone to SRV zone. set this to log session start and you will see what is being denied....

there are many offerings on the web for required ports but I prefer to see for myself...

Re: Allow workstations to join domain controller

FoxOnTheRun — Wed, 26 May 2021 17:30:06 GMT

I just realize a mistake of not adding the dependency into the application rules when choosing 'active-directory' application. Thanks for your suggestion too, I will use it to fix other current issues in my firewall.

Re: Allow workstations to join domain controller

Remo — Wed, 26 May 2021 17:48:46 GMT

I use the following apps with service application-default for traffic towards the domain controllers

ntp
dns
ms-netlogon
kerberos
ldap
msrpc
active-directory
netbios-ss
ms-ds-smb-base
ms-ds-smbv2
ms-ds-smbv3
net.tcp
netbios-ns
netbios-dg

This allows domain joined clients and servers to communicate with the AD servers. For admin-tasks additional app-ids are required.

Re: Allow workstations to join domain controller

FoxOnTheRun — Sat, 29 May 2021 05:12:25 GMT

Thanks for the help, turns out the dependencies were not enough and your solution has helped me a lot.

Re: Allow workstations to join domain controller

Mick_Ball — Sat, 29 May 2021 06:34:14 GMT

Cool.... FYI... you can set the built-in inter/intra policies at the bottom of your ruleset to log session start but will log absolutely everything so thats why i prefer to be more specific with zone to zone info or source/dest ip... And sorry for teaching egg sucking but always make sure this goes pretty much as the last policy when your ruleset starts to increase...