RDP connections with application incomplete

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RDP connections with application incomplete

L0 Member
 

Hello guys,

 

I have a rule authorizing the RDP, ping and tracert connection between two hosts on different networks.
Ping and tracert connections occur without any problem, RDP connections are flagged in the monitor in application as incomplete

Could you help me with this doubt please?

 

Note the interfaces are configured in layer 3 and a NAT rule already exists

 

I've seen some threads on this same subject but none of them helped me to solve the problem.

 



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
2 REPLIES 2

L4 Transporter

Hello @Mr_Cruz , good afternoon.

 

For clarity:

You have two networks behind your Palo Alto:

Do you have communication between those endpoints that you are testing at Ping/icmp traceroute level, with successful results as you indicate ? If you have correct response at the ICMP level, then we conclude that at the level of connectivity between the equipment you are testing, there is no problem.

Now you have the corresponding security policy or policies that allow connectivity between these networks and zones ? you have a security policy that is allowing, for example if you have it at service level, policy with TCP:3389 service (UDP:3389 also for acceleration issues UDP is used) or you are allowing any service but at application level you have RDP and / or app default ? are you using a custom RDP port ?

Do you have NAT enabled to source NAT in the communication between those networks ? and that for some internal security requirement or for some other reason ?

 

The NAT 2 rule, you name it as DNAT, destination NAT, as a portforwaring, but what you have configured there is another Source NAT, that will apply the Masquerading when going to that destination, with the IP that you have set in source translate.


Best regards

 

Examples NATs:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples

https://www.packetswitch.co.uk/palo-alto-nat-example/

High Sticker

Hello @Metgatz, good morning!

 

Yes I have two networks through palo alto palo alto makes the interface between my industrial network and my corporate network, Communication normally takes place via ping and tracert, the only communication that is not succeeding as far as I could detect is TCP RDP (Port 3389).

Yes, I have some restrictive rules between two zones (networks) and I filter the IP addresses that can carry out this communication, but in this case I am allowing traffic from any application and any service, The NAT rule is like this because I was carrying out some tests to verify that there was no routing problem, because in the past this NAT did not exist and communications were unstable.

 


The curious thing is that RDP communication has worked in the past with the same configuration as it is currently, but it stopped working a few days ago, and the problem only occurs with RDP communication, which is intriguing!!!

 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!