12-17-2017 12:48 AM
I am working to configure our new Palo Alto Firewall. In the policy section, I have configured one policy to allow RDP service (3389) using souce & destinaion IP address (Rule-20) and configured another rule (Rule-50) to deny all traffic.
Below is the summary of config-
Rule-20:
Source IP: 192.168.10.20
Dest IP: 192.168.15.20
App: RDP (3389)
Action: Allow
Rule-50:
Source IP: any
Dest IP: any
App: any
Action: Deny
But, the traffic policy is not working. I thin, there should one rule for the return traffic. But, I am unable to configure it.
Need your advise to fix it.
Regards,
Meshbah
12-17-2017 11:33 PM
I may be missing something but your original post does not mention this is a connection coming from outside, so am wondering if NAT is even necessary?
Could you check your log file to see which zones are associated with 192.168.10.20 and 192.168.15.20? you may need to set the correct zones in your policy (this is a zone based firewall so zones are very important)
How did you set the service in your rules? application default or a specific service
FYI you don't need to create return rules, every flow is created bidirectionally and will accept returning packets automatically
12-18-2017 12:40 AM
It works now. I had created a application rule based on destination port, which was not compatible. However, there was already built in app on required port. After configured on that app, it works now. Thanks for your support.
12-17-2017 02:07 AM
If you are passing traffic from untrust to trust zones you are also going to need a NAT rule as well as the security rule to make this work.
It would be a like this.
Source zone and destination zone = both untrust
Destination address = 192.168.10.20
Service RDP tcp port 3389 ( you may need to create this in objects, services)
Destination translation = 192.168.15.20
This is assuming these are on different network subnets.
12-17-2017 02:55 AM
Thanks for your advise.
I have configured with both zones as untrust, but not working. While checking from Rule-50 log, I noticed all traffics are denied. If I open Rule-20 log viewer, no traffic there.
Is there any rule need to be created before Rule-50, for return traffic from destination to source to accept for Rule-20.
12-17-2017 07:51 AM
If your traffic is missing rule 20 and hitting your deny all at rule 50, There is something about your traffic that done not match rule 20. Make sure the service you specified in the NAT rule is also added to the security rule.
The NAT rule is untrust to untrust and the security rule is untrust to trust.
Chris
12-17-2017 11:33 PM
I may be missing something but your original post does not mention this is a connection coming from outside, so am wondering if NAT is even necessary?
Could you check your log file to see which zones are associated with 192.168.10.20 and 192.168.15.20? you may need to set the correct zones in your policy (this is a zone based firewall so zones are very important)
How did you set the service in your rules? application default or a specific service
FYI you don't need to create return rules, every flow is created bidirectionally and will accept returning packets automatically
12-18-2017 12:40 AM
It works now. I had created a application rule based on destination port, which was not compatible. However, there was already built in app on required port. After configured on that app, it works now. Thanks for your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
