05-26-2021 03:48 AM
I am new to palo alto firewall. I have to configure the firewall rules to allow workstation to join the domain controller. The workstation is placed in LAN zone while the domain controller is placed in SRV zone. I have added the rule to allow LAN zone to authenticate with SRV zone using 'active directory' application and 'application-default' service, as well as 'dns' application. However, the workstation is unable to join the domain controller because the domain controller was unreachable. When I tried to allow all applications and service from LAN zone to SRV zone, the computer has no issue reaching the domain controller. I am not sure what I am doing wrong here and would appreciate some help.
05-26-2021 09:03 AM
set your rule back to what you think it should be. then add a rule directly below blocking all from LAN zone to SRV zone. set this to log session start and you will see what is being denied....
there are many offerings on the web for required ports but I prefer to see for myself...
05-26-2021 10:48 AM
I use the following apps with service application-default for traffic towards the domain controllers
This allows domain joined clients and servers to communicate with the AD servers. For admin-tasks additional app-ids are required.
05-26-2021 09:03 AM
set your rule back to what you think it should be. then add a rule directly below blocking all from LAN zone to SRV zone. set this to log session start and you will see what is being denied....
there are many offerings on the web for required ports but I prefer to see for myself...
05-26-2021 10:30 AM
I just realize a mistake of not adding the dependency into the application rules when choosing 'active-directory' application. Thanks for your suggestion too, I will use it to fix other current issues in my firewall.
05-26-2021 10:48 AM
I use the following apps with service application-default for traffic towards the domain controllers
This allows domain joined clients and servers to communicate with the AD servers. For admin-tasks additional app-ids are required.
05-28-2021 10:11 PM - edited 05-28-2021 10:12 PM
Thanks for the help, turns out the dependencies were not enough and your solution has helped me a lot.
05-28-2021 11:34 PM
Cool.... FYI... you can set the built-in inter/intra policies at the bottom of your ruleset to log session start but will log absolutely everything so thats why i prefer to be more specific with zone to zone info or source/dest ip... And sorry for teaching egg sucking but always make sure this goes pretty much as the last policy when your ruleset starts to increase...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
