03-30-2012 02:19 PM
I am seeing several atempts by the same IP address utilizing t.120 to connect via port 3389 to the various Windows Servers that I have with external IP addresses (and, yes, some are actual Terminal Servers). I would love to be able to configure a threshold of denying this type of activity via the application with an activity threshold similar to the DoS Protection policies.
Is that feature available? Will it be available in future releases?
Attached files shows the Threat log entries of similar entries that I see all of the time. The IP's have been partially erased to mask the identity of the guilty party and victim. 
03-30-2012 02:27 PM
I assume that you have already setup the "service" part for each security rule so it will only allow the ip and port which is expected and then the appid is applied to only allow correct application through that port?
I mean so you dont use "service:any" for all your rules?
This way only legitime clients can use legitime ports on legitime servers using legitime application 
Which also gives that if a non authorized client attempts to connect their attempt will simply be denied (and logged if you enable logging of denied connections).
03-30-2012 02:35 PM
My problem with that is that the servers in question are for our remote sales force that may be appearing from any IP address. I have not had any luck getting the VP of Sales to let me place VPN on the sales laptops.
03-30-2012 03:00 PM
Yeah that was what first comes to mind... using RDP over Internet for sensitive data... are you nuts? :smileygrin:
VPN seems to be the proper way to handle this. Which will also include authentication of the client ip before it can even handshake a RDP session with the servers.
If im not mistaken there is a "free of charge" PA Globalprotect Client which you can enable in your PA device in order to use SSL-VPN (this free client is limited to only do the SSL VPN stuff - the other nifty stuff of Globalprotect is not included until you throw some money at PAN for a license).
Your sales person will point their browser to your PA ip address (or dns entry pointing to your ip) and after login they will have a javabased SSL running between their box and your PA. Then they will be able to (through the VPN tunnel) access your RDP servers.
A hint here (even if it will cost some more money) is to integrate the authentication stuff with some sort of OTP solution. Nordic-Edge (among others) have such solutions, look here for a video explaining of how it works: http://nordicedge.se/2010/06/11/palo-alto-networks-integration-till-nordic-edge-one-time-password-se...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
