- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-25-2014 04:50 AM
Hi!
One of our customers have RDP access to a server, works like a charm.
And now I was about to grant access to an application using port 4850 and 4851, but it would seem that this wouldn't be that simple.
I've attached the NAT of the working RDP, and the non-working OPC application:
(I've also added the newly created application to the existing Security rule that allows RDP.)
I want to add that the newly created application has not been given any signatures - only properties, characteristics, timeouts and the ports itself. But even if the application somehow is "wrongly" created, at least the ports should be registered open?
Anyone have any clue as to what I might have forgotten, or rather have done wrong?
I'll provide more information if needed.
07-25-2014 05:30 AM
Thought I found a solution, but this didn't work either:
Adding a Custom Application/Ports to Security Policy
Added the services without the RDP at first, noticing the connection was terminated, and was re-established when I added it. So there must be something I'm missing in regards to the other ports.
07-25-2014 08:39 AM
Hello Pred-martin,
(1) Could you please check, if there is any session available on the PAN firewall, Use CLI by using '>show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'. ( Collect the session ID)
(2) If there is a session exist for the same traffic, then please apply CLI command PAN> show session id XYZ >>>>>>>> to get detailed information about that session, i.e Application, port, NAT rule, security rule, ingress/egress interface etc.
(3) verify the global counters, if a specific "DRP" counter is increasing rapidly.
- Create a packet filter under GUI > Monitor > Packet capture
-Apply below mentioned command multiple times, while try to establish the RDP connection. ( with 2 seconds interval)
> show counter global filter packet-filter yes delta yes
The command show counter global provides information about the processes/actions taken on the packets going through the device; if they are dropped, nat-ed, decrypted etc. These counters are for all the traffic going through the device and are useful in troubleshooting issues; like packet loss. It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data.
For more information, you can follow the DOC What is the Significance of Global Counters?
(4) Could you please share the custom service details ( snapshot) for OPC-UA-4850, OPC-UA-4851, RDP-3390.
Hope this helps.
Thanks
07-31-2014 01:50 AM
Sorry for my delayed response to your help.
I tried the Application Override, to no avail. I also conferred with a "local" support, who claimed everything looked like it should be.
As for your "CLI option", HULK, I didn't get any results. Don't know whether that was due to wrong input or something else, but I couldn't use more time on the issue, so I just added the external IP to the server in question, which solved everything. Guess I must have missed a detail in regards to the NAT-ing(?!), but the question is what. The setup was indentical to the working RDP.
Thanks anyway
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!