How to configure PAN to allow for SFTP traffic over public ip

Reply

How to configure PAN to allow for SFTP traffic over public ip

Hi ,

 

How to configure PAN to allow for the SFTP traffic over public ip.

 

Thanks

KM

Tags (2)
L7 Applicator

Re: How to configure PAN to allow for SFTP traffic over public ip

From internal to the internet or from the internet to a host in your internal network?

In both cases you need a NAT rule and a security policy rule that allows ssh.

Re: How to configure PAN to allow for SFTP traffic over public ip

Thanks for your reply , I am new to this process.

 

Working on a task to migrate existing DMZ traffic from ASA to Palo alto.

I was told to Configure the PAN to allow for the SFTP traffic over an public IP, no idea about it.
 
that means redirecting the traffic to public ip ? please give me details configure note.
 
Thanks in advance 
KM
 
 
L7 Applicator

Re: How to configure PAN to allow for SFTP traffic over public ip

What exactly do you try to configure? Allow sftp from internal/dmz to the internet or from the internet to an internal or dmz server? If from internet, does your server have a punlic or private IP?

In order to let the community help you need to give us some more informations about the situation.

Re: How to configure PAN to allow for SFTP traffic over public ip

Hi,

 

Configuration to allow aftp from dmz to internet .

 

Thanks

KM

L7 Applicator

Re: How to configure PAN to allow for SFTP traffic over public ip

Hi @KarthikMuthukrishnan 

 

Does your DMZ server have a private IP? If yes then you need a security policy rule that allows ssh from your DMZ server zone and IP to the internet. In addition you need a NAT rule with the source your dmz server zone/ip as source and the internet zone as destination. In the translated address tab configure dynamic ip and port and interface IP. There you chose your internet facing interface and the corresponding IP. 

Re: How to configure PAN to allow for SFTP traffic over public ip

 Hi,

 

I did create a NAT policy where both source and destination are untrust zones, source - any, destination is public ip and destination address translation is private IP ( sftp Ip ) . hope I am right.

 

policy :

source : untrust , ip address : any 

destination : trust , ip address :not sure which IP i sho uld give  sftp private IP or public ip .

application : any , service : sftp  , action allow

 

Thanks

KM

 

 

L7 Applicator

Re: How to configure PAN to allow for SFTP traffic over public ip

Hello,

Check out this article, it may help out:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC

 

Regards,

Re: How to configure PAN to allow for SFTP traffic over public ip

Hello,

 

Thanks for the link... I read few documents 

 

Looks like this will exactly serve my purpose.

 

I am adding new external ip (public ip)  and point it to the existing sftp ip (private ip ) . Correct me if I am wrong.

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!