This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Having trouble granting access for an application

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Having trouble granting access for an application

pasmartin
L2 Linker

‎07-25-2014 04:50 AM

Hi!

One of our customers have RDP access to a server, works like a charm.

And now I was about to grant access to an application using port 4850 and 4851, but it would seem that this wouldn't be that simple.

I've attached the NAT of the working RDP, and the non-working OPC application:

nat.PNG

(I've also added the newly created application to the existing Security rule that allows RDP.)


I want to add that the newly created application has not been given any signatures - only properties, characteristics, timeouts and the ports itself. But even if the application somehow is "wrongly" created, at least the ports should be registered open?

Anyone have any clue as to what I might have forgotten, or rather have done wrong?

I'll provide more information if needed.

0 Likes Likes
4 REPLIES 4

pasmartin
L2 Linker

‎07-25-2014 05:30 AM

Thought I found a solution, but this didn't work either:

Adding a Custom Application/Ports to Security Policy
security.PNG

Added the services without the RDP at first, noticing the connection was terminated, and was re-established when I added it. So there must be something I'm missing in regards to the other ports.

0 Likes Likes

ajbool
L3 Networker

‎07-25-2014 06:34 AM

Create an "Application Override" policy for your new application for traffic destined to the server's IP and port....

0 Likes Likes

HULK
L7 Applicator
In response to pasmartin

‎07-25-2014 08:39 AM

Hello Pred-martin,

(1) Could you please check, if there is any session available on the PAN firewall, Use CLI by using '>show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'. ( Collect the session ID)


(2) If there is a session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e Application, port, NAT rule, security rule, ingress/egress interface etc.

(3)   verify the global counters, if a specific "DRP" counter is increasing rapidly.

- Create a packet filter under GUI > Monitor > Packet capture

-Apply below mentioned command multiple times, while try to establish the RDP connection. ( with 2 seconds interval)


> show counter global filter packet-filter yes delta yes


The command show counter global provides information about the processes/actions taken on the packets going through the device; if they are dropped, nat-ed, decrypted etc.  These counters are for all the traffic going through the device and are useful in troubleshooting issues; like packet loss. It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data.

For more information, you can follow the DOC What is the Significance of Global Counters?

(4) Could you please share the custom service details ( snapshot) for OPC-UA-4850, OPC-UA-4851, RDP-3390.

Hope this helps.

Thanks

0 Likes Likes

pasmartin
L2 Linker
In response to HULK

‎07-31-2014 01:50 AM

Sorry for my delayed response to your help.

I tried the Application Override, to no avail. I also conferred with a "local" support, who claimed everything looked like it should be.
As for your "CLI option", HULK, I didn't get any results. Don't know whether that was due to wrong input or something else, but I couldn't use more time on the issue, so I just added the external IP to the server in question, which solved everything. Guess I must have missed a detail in regards to the NAT-ing(?!), but the question is what. The setup was indentical to the working RDP.

Thanks anyway Smiley Happy

0 Likes Likes
  • 3713 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks