- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-06-2017 06:01 PM
Good day.
I am new in handling firewall. We use juniper before (i did not setup).
Before we can remote access (remote desktop protocol) our network. I would like to setup that kind of connection again.
Before on the remote desktop connection, we just put IP Address:port number + domain account (authentication).
How to setup like that?
Thank you.
Best regards,
Uldridge
12-14-2017 05:07 PM
I havent solve my problem and I am coordinating with our local supplier/support but i can close this ticket and will try to post later what happen on my issue
12-07-2017 01:09 AM
Hi @ugalarosa
Most likely your policy should look like this:
From source zone
to destination zone
application ms-rdp
service: a service object containing the appropriate port(s) for your rdp
action allow
profile: security profiles to scan your sessions for malicious content
12-07-2017 09:47 AM
Do you already have GlobalProtect configured to actually allow users to VPN into the network, or was your Juniper simply setup with NAT statements to direct traffic to the proper desktop from the outside?
Generally for something like this you would setup GlobalProtect for allowing remote access into the network, and then your RDP port would actually be left alone and everyone would simply RDP to the hostname or the IP assigned to the host of their workstation. If you are using random RDP ports on the machines, then what @reaper has listed would need to be done to actually allow that access since you are not using the standard ports for the ms-rdp app-id.
If you were going to your Public IP address on specific ports to access your machine remotely, I would really recommend you switch to having users VPN into the network instead of opening up these ports for outside access. While the Palo Alto is perfectly capable of mimicing this configuration, if this is what you were doing, it is by no means a secure configuration at all.
12-07-2017 10:22 PM
Hi @reaper,
Good day.
I tried to copy the policy as much as possible.
but I have some concern. (Sorry I am new to Palo Alto)
In the picture you send
Source:
zone: the is no "local". I can only choose from access, external, internal, ISP2, Trust, untrust. I not sure if I can create local. and if I can i dont know how.
Destination:
zone: same as above I do have remote. Only the the listed choices was there.
Destination/Source:
Address: I only want an specific IP address where the client PC can connect. Where will I input it at Source address or Destionation address?
Service
I created a service. Please check if my setting is correct.
Name: test
Description: blank
Protocol: TCP
Destionation Port: 12345 (sample only)
Source Port: blank
Tags: Blank
Also I tested.
Source zone: internal
Destination zone: access
address: any for both.
and i have this msg.
12-07-2017 10:33 PM
Hi @BPry,
I have read some items about globalprotect but I still dont understand how it works or how to configure.
Im new to this Palo Alto..
Im not the one who setup the Juniper so I dont know.
Is you could help me to find a step by step insturction how to remote my server. It will be a big help.
Thank you.
Best regards,
12-07-2017 11:59 PM
hi @ugalarosa
zones can be given any name you like to best reflect a topology that makes sense to you
in my lab i have my internal zone and my external zone, which makes it easier to illustrate what is where but you can have very different zones (dmz, lan, wan, ...). You can configure/review your zones in Network > Zones
I created the "getting started series" a while ago, you may want to check it out as it'll help you understand some concepts
your service looks perfect
the error message indicates you created a security policy that would allow sessions to flow between two incompatible interfaces
one of your zones is attached to a layer3 interface while the other is connected to a vwire, which is a "bump in the wire" directly between two interfaces
Please have a look at the getting started series and let me know if something is not clear yet
12-08-2017 05:52 PM
Hi @reaper,
Good day.
I will check the guide you prepare. and will update this post.
Your assistance is highly appreciated.
Thank you very much.
12-14-2017 05:07 PM
I havent solve my problem and I am coordinating with our local supplier/support but i can close this ticket and will try to post later what happen on my issue
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!