Allow workstations to join domain controller

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Allow workstations to join domain controller

L1 Bithead

I am new to palo alto firewall. I have to configure the firewall rules to allow workstation to join the domain controller. The workstation is placed in LAN zone while the domain controller is placed in SRV zone. I have added the rule to allow LAN zone to authenticate with SRV zone using 'active directory' application and 'application-default' service, as well as 'dns' application. However, the workstation is unable to join the domain controller because the domain controller was unreachable. When I tried to allow all applications and service from LAN zone to SRV zone, the computer has no issue reaching the domain controller. I am not sure what I am doing wrong here and would appreciate some help. 

2 accepted solutions

Accepted Solutions

L7 Applicator

set your rule back to what you think it should be.  then add a rule directly below blocking all from LAN zone to SRV zone. set this to log session start and you will see what is being denied....

 

there are many offerings on the web for required ports but I prefer to see for myself...

View solution in original post

I use the following apps with service application-default for traffic towards the domain controllers

  • ntp
  • dns
  • ms-netlogon
  • kerberos
  • ldap
  • msrpc
  • active-directory
  • netbios-ss
  • ms-ds-smb-base
  • ms-ds-smbv2
  • ms-ds-smbv3
  • net.tcp
  • netbios-ns
  • netbios-dg

This allows domain joined clients and servers to communicate with the AD servers. For admin-tasks additional app-ids are required.

View solution in original post

5 REPLIES 5

L7 Applicator

set your rule back to what you think it should be.  then add a rule directly below blocking all from LAN zone to SRV zone. set this to log session start and you will see what is being denied....

 

there are many offerings on the web for required ports but I prefer to see for myself...

I just realize a mistake of not adding the dependency into the application rules when choosing 'active-directory' application. Thanks for your suggestion too, I will use it to fix other current issues in my firewall.

I use the following apps with service application-default for traffic towards the domain controllers

  • ntp
  • dns
  • ms-netlogon
  • kerberos
  • ldap
  • msrpc
  • active-directory
  • netbios-ss
  • ms-ds-smb-base
  • ms-ds-smbv2
  • ms-ds-smbv3
  • net.tcp
  • netbios-ns
  • netbios-dg

This allows domain joined clients and servers to communicate with the AD servers. For admin-tasks additional app-ids are required.

Thanks for the help, turns out the dependencies were not enough and your solution has helped me a lot.  

Cool....  FYI... you can set the built-in inter/intra policies at the bottom of your ruleset to log session start but will log absolutely everything so thats why i prefer to be more specific with zone to zone info or source/dest ip... And sorry for teaching egg sucking but always make sure this goes pretty much as the last policy when your ruleset starts to increase...

  • 2 accepted solutions
  • 9519 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!