11-27-2015 02:35 AM
Hello,
In or company i need to block the remote desktp access of a specific address to the critical server like database server.
I add a security rule in the PA-500 by block (ms-rdp and t.120) applictions to a specific address by without any result.
How could i blck the remote access ?
Please i need you help
11-27-2015 03:28 AM
Hello,
You find in the attachment a screnshoot of the recurity rules in the PAN
Thank you
11-27-2015 04:36 AM
you want to block same zome traffic? so if your client and server are on the same subnet the traffic will not forward to your palo alto (which is the default gw from your clients i think).
11-27-2015 05:06 AM
Yes the servers and the clients desktop are in th same subnet , the same security zone . So , I can't block the traffic in this case with the PAN?
11-27-2015 05:44 AM
If you can't put server to seperate subnet then you could do it with virtual wire or layer 2 setup.
Keep in mind that traffic has to pass the firewall.
If client and server are both connected to switch then they talk directly and traffic does not pass firewall and you can't block this traffic.
11-27-2015 07:03 AM - edited 11-27-2015 07:04 AM
ok thank you, so i can this by configuring a virtual wire in the firewall , i connect the servers directly to the firewall or by usig another switch . It it in the zoe named "serverzone". Then, i add a security rules from "internal" rules to the "serverzone" by restrict the ms-rdp.
11-27-2015 07:57 AM
It is best practise to have users and servers in diferent zones.
What you could do at the moment is to add another layer 3 interface to same zone you have already (inside) and attach server directly to it.
Multiple interfaces can be in same zone.
But in this case your traffic from inside zone to inside zone passes firewall and you can control this traffic.
11-30-2015 03:11 AM
you could split up the user and server space by putting them in different VLANs and then using the firewall as bridge, that way you should be able to keep your subnet configuration
please take a look at this guide: Getting Started: Layer 2 Interfaces
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
