SSL VPN Portal Page

Reply
Highlighted
Not applicable

SSL VPN Portal Page

Hi guys,

I'm trying to set up ssl vpn on PAN. I would like to know which security policies are necessary to make the portal work.

My actual rule is:

Source Zone: untrust

Destination Zone: untrust

Source Address: any

Source User: any

Destination Address: public ip

Application: ssl, ipsec, panos-web-interface, web-browsing

Service: application-default

If I use "any" as service, the portal is shown, I can log in and the tunnel works, but using the above rule the portal doesn't work. Inspecting the log I can see that traffic is denied by the default block rule.

deny untrust untrust addr.src addr.dst 22735      443 addr.src.nat addr.dst.nat 22735      20077      tcp      web-browsing      deny default_block

Addr.src = addr.scr.nat

Addr.dst = addt.dst.nat

Somehow port 443 is mapped by some kind of nat to port 20077 so I suppose that I have to open it. Which port range should be opened?

Thanks!

L4 Transporter

Re: SSL VPN Portal Page

Initially you only need to alow SSL and IPSEC from untrust to untrust.  What is the zone for your tunnel interface? If it is something other than untrus or trus you will need to create rules that allow from the untrust to the VPN-Zone and VPN-Zone to trust.  Use the CLI commands to see which rule is dropping your traffic.

show session all filter source <ip_of_test_pc>

This should show you at least one session, app = ssl, and some ID number.

Then look at the ID.

Show session id xxxxx

This will show you the ingress and egress  interfaces and the security rule that allowed or dropped the packets.

If this is not enough then you will need to open a support ticket.

Steve Krall

Not applicable

Re: SSL VPN Portal Page

I had a Block_All rule defined for logging reasons. This rule overruled the default intrazone-allow-rule and avoided the properly working of the vpn portal page.

L1 Bithead

Re: SSL VPN Portal Page

The reason your portal page is being blocked when using application default for the service is that the web-browsing application traffic is on port 443 for the ssl vpn portal and not the default of 80/8080. See this post: https://live.paloaltonetworks.com/docs/DOC-1198 as to why.

The way I got around it was to create a service for the IPSec traffic, called it service-ipsec on UDP 4500-4501 and then use specific services, i.e. service-http, service-https & service-ipsec, instead of application default or any.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!