I'm trying to set up ssl vpn on PAN. I would like to know which security policies are necessary to make the portal work.
My actual rule is:
Source Zone: untrust
Destination Zone: untrust
Source Address: any
Source User: any
Destination Address: public ip
Application: ssl, ipsec, panos-web-interface, web-browsing
If I use "any" as service, the portal is shown, I can log in and the tunnel works, but using the above rule the portal doesn't work. Inspecting the log I can see that traffic is denied by the default block rule.
deny untrust untrust addr.src addr.dst 22735 443 addr.src.nat addr.dst.nat 22735 20077 tcp web-browsing deny default_block
Addr.src = addr.scr.nat
Addr.dst = addt.dst.nat
Somehow port 443 is mapped by some kind of nat to port 20077 so I suppose that I have to open it. Which port range should be opened?
Initially you only need to alow SSL and IPSEC from untrust to untrust. What is the zone for your tunnel interface? If it is something other than untrus or trus you will need to create rules that allow from the untrust to the VPN-Zone and VPN-Zone to trust. Use the CLI commands to see which rule is dropping your traffic.
show session all filter source <ip_of_test_pc>
This should show you at least one session, app = ssl, and some ID number.
Then look at the ID.
Show session id xxxxx
This will show you the ingress and egress interfaces and the security rule that allowed or dropped the packets.
If this is not enough then you will need to open a support ticket.
I had a Block_All rule defined for logging reasons. This rule overruled the default intrazone-allow-rule and avoided the properly working of the vpn portal page.
The reason your portal page is being blocked when using application default for the service is that the web-browsing application traffic is on port 443 for the ssl vpn portal and not the default of 80/8080. See this post: https://live.paloaltonetworks.com/docs/DOC-1198 as to why.
The way I got around it was to create a service for the IPSec traffic, called it service-ipsec on UDP 4500-4501 and then use specific services, i.e. service-http, service-https & service-ipsec, instead of application default or any.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!