This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Having problems with TCP port allowance

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Having problems with TCP port allowance

ruiptoliveira
L1 Bithead

‎03-12-2024 04:22 PM

Good morning/afternoon/night to everyone.

I'm using for the first time Palo Alto Firewall and I'm having some troubles allowing TCP port 2245.

 

At the moment I have this NAT Rules:

Captura de ecrã 2024-03-12, às 23.13.36.png

 

and I have this Security Rules:

Captura de ecrã 2024-03-12, às 23.14.26.png

 

PS: note that I also have some rules for TCP/UDP ports related to WHM and cPanel.

Can someone tell me if I'm doing something wrong?

 

Other important infos

  • gp-public and gp-public-2 are the two public IP addresses that are associated to the server
  • mainCyber_Private is the private IP for the server
  • Captura de ecrã 2024-03-12, às 23.15.36.png
  • Monitor:
    Captura de ecrã 2024-03-12, às 23.17.58.png
  • I don't have a "private firewall" on the server
  • The server is listening on that port and that port can be accessed internally:
    Captura de ecrã 2024-03-12, às 23.21.38.png

    Captura de ecrã 2024-03-12, às 23.22.02.png
0 Likes Likes
4 REPLIES 4

JayGolf
Community Team Member

‎03-12-2024 10:32 PM - edited ‎03-12-2024 10:39 PM

Hi @ruiptoliveira ,

 

From a quick glance, your NAT and Security Policy looks good. I'm assuming one of those IPs in the destination is the true source IP (internal) of the server and I see the traffic is being allowed.

 

If you click on detailed log view of the traffic, can you verify NAT is forwarding to the correct private IP. Also check if the traffic shows it show bytes sent, but not returned? If none are being returned then there could be an issue with the traffic getting down to the private server or an issue with the private server itself. Do you have any L3 devices between the firewall and the server? I see the localhost test shows the server is listening on the service port. Can you test from another host that doesn't traverse the Palo to get to the server? If that test works, could you run a tcpdump on the private server to see if you see the forwarded packets getting there? If so, I would verify that the server has a default gateway configured so it knows to point the return traffic up through your Palo since I see the public true source IP will be going through the Palo. You can test out L3 issues by applying a SNAT translation to the inside interface of your Palo and see if your traffic is successful then. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

JoergSchuetter
L4 Transporter

‎03-13-2024 12:46 AM

Hello

 

The NAT rule let me assume, that you are using IPv4. On the other hand the "curl" command was using IPv6. Is the given port reachable w/ IPv4 as well?

0 Likes Likes

ruiptoliveira
L1 Bithead
In response to JayGolf

‎03-16-2024 09:28 AM

Hello Jay,
Hope everything's good with you and your family/friends.

 

I've followed your advice to check the detailed logs of monitor (to be honest, for some reason, I never went there), and I found something that I think is odd (the source port is 51238 and I'm not sure if it is supposed to be like this since I'm searching on the web for DOMAIN.COM:2245 or using Postman for the domain:2245 or ip:2245).

WhatsApp Image 2024-03-13 at 17.16.33.jpeg

WhatsApp Image 2024-03-13 at 17.19.05.jpeg

0 Likes Likes

ruiptoliveira
L1 Bithead
In response to JoergSchuetter

‎03-16-2024 09:31 AM

Hey Joerg,
Hope everything is okay with you and your family.

I'm not sure if I understood your question, but I think I did.
I've internally tested the port for the local IPv4 (127.0.0.1) and it works just fine.

Captura de ecrã 2024-03-16, às 16.30.05.png

0 Likes Likes
  • 1141 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks