Having trouble granting access for an application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Having trouble granting access for an application

L2 Linker

Hi!

One of our customers have RDP access to a server, works like a charm.

And now I was about to grant access to an application using port 4850 and 4851, but it would seem that this wouldn't be that simple.

I've attached the NAT of the working RDP, and the non-working OPC application:

nat.PNG

(I've also added the newly created application to the existing Security rule that allows RDP.)


I want to add that the newly created application has not been given any signatures - only properties, characteristics, timeouts and the ports itself. But even if the application somehow is "wrongly" created, at least the ports should be registered open?

Anyone have any clue as to what I might have forgotten, or rather have done wrong?

I'll provide more information if needed.

4 REPLIES 4

L2 Linker

Thought I found a solution, but this didn't work either:

Adding a Custom Application/Ports to Security Policy
security.PNG

Added the services without the RDP at first, noticing the connection was terminated, and was re-established when I added it. So there must be something I'm missing in regards to the other ports.

L3 Networker

Create an "Application Override" policy for your new application for traffic destined to the server's IP and port....

Hello Pred-martin,

(1) Could you please check, if there is any session available on the PAN firewall, Use CLI by using '>show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'. ( Collect the session ID)


(2) If there is a session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e Application, port, NAT rule, security rule, ingress/egress interface etc.

(3)   verify the global counters, if a specific "DRP" counter is increasing rapidly.

- Create a packet filter under GUI > Monitor > Packet capture

-Apply below mentioned command multiple times, while try to establish the RDP connection. ( with 2 seconds interval)


> show counter global filter packet-filter yes delta yes


The command show counter global provides information about the processes/actions taken on the packets going through the device; if they are dropped, nat-ed, decrypted etc.  These counters are for all the traffic going through the device and are useful in troubleshooting issues; like packet loss. It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data.

For more information, you can follow the DOC What is the Significance of Global Counters?

(4) Could you please share the custom service details ( snapshot) for OPC-UA-4850, OPC-UA-4851, RDP-3390.

Hope this helps.

Thanks

Sorry for my delayed response to your help.

I tried the Application Override, to no avail. I also conferred with a "local" support, who claimed everything looked like it should be.
As for your "CLI option", HULK, I didn't get any results. Don't know whether that was due to wrong input or something else, but I couldn't use more time on the issue, so I just added the external IP to the server in question, which solved everything. Guess I must have missed a detail in regards to the NAT-ing(?!), but the question is what. The setup was indentical to the working RDP.

Thanks anyway Smiley Happy

  • 3342 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!