How to allow RDP with specific port.

Showing results for 
Search instead for 
Did you mean: 

How to allow RDP with specific port.

L1 Bithead

Good day.


I am new in handling firewall. We use juniper before (i did not setup).


Before we can remote access (remote desktop protocol) our network. I would like to setup that kind of connection again.


Before on the remote desktop connection, we just put IP Address:port number + domain account (authentication).


How to setup like that?


Thank you.


Best regards,





Accepted Solutions

I havent solve my problem and I am coordinating with our local supplier/support but i can close this ticket and will try to post later what happen on my issue

View solution in original post


Cyber Elite
Cyber Elite

Hi @ugalarosa


Most likely your policy should look like this:

From source zone

to destination zone

application ms-rdp

service: a service object containing the appropriate port(s) for your rdp

action allow

profile: security profiles to scan your sessions for malicious content


rdp policy.png

Tom Piens

Cyber Elite
Cyber Elite


Do you already have GlobalProtect configured to actually allow users to VPN into the network, or was your Juniper simply setup with NAT statements to direct traffic to the proper desktop from the outside? 

Generally for something like this you would setup GlobalProtect for allowing remote access into the network, and then your RDP port would actually be left alone and everyone would simply RDP to the hostname or the IP assigned to the host of their workstation. If you are using random RDP ports on the machines, then what @reaperPANgurus has listed would need to be done to actually allow that access since you are not using the standard ports for the ms-rdp app-id. 

If you were going to your Public IP address on specific ports to access your machine remotely, I would really recommend you switch to having users VPN into the network instead of opening up these ports for outside access. While the Palo Alto is perfectly capable of mimicing this configuration, if this is what you were doing, it is by no means a secure configuration at all. 

Hi @reaperPANgurus,


Good day.


I tried to copy the policy as much as possible.


but I have some concern. (Sorry I am new to Palo Alto)


In the picture you send



zone: the is no "local". I can only choose from access, external, internal, ISP2, Trust, untrust. I not sure if I can create local. and if I can i dont know how.



zone: same as above I do have remote. Only the the listed choices was there.



Address: I only want an specific IP address where the client PC can connect.  Where will I input it at Source address or Destionation address?



I created a service. Please check if my setting is correct.


Name: test

Description: blank

Protocol: TCP

Destionation Port: 12345 (sample only)

Source Port: blank

Tags: Blank


Also I tested.

Source zone: internal

Destination zone: access


address: any for both.


and i have this msg.


Status: Completed
Result: Failed
  • In VSYS vsys1 from zone Internal of type vwire and to zone access of type layer3 are incompatible in security rule Remote Desktop Protocol
  • Configuration is invalid
Thank you.
Best regards,

Hi @BPry,


I have read some items about globalprotect but I still dont understand how it works or how to configure.


Im new to this Palo Alto..


Im not the one who setup the Juniper so I dont know.


Is you could help me to find a step by step insturction how to remote my server. It will be a big help.


Thank you.


Best regards,

hi @ugalarosa


zones can be given any name you like to best reflect a topology that makes sense to you

in my lab i have my internal zone and my external zone, which makes it easier to illustrate what is where but you can have very different zones (dmz, lan, wan, ...). You can configure/review your zones in Network > Zones 


I created the "getting started series" a while ago, you may want to check it out as it'll help you understand some concepts 


your service looks perfect


the error message indicates you created a security policy that would allow sessions to flow between two incompatible interfaces 

one of your zones is attached to a layer3 interface while the other is connected to a vwire, which is a "bump in the wire" directly between two interfaces


Please have a look at the getting started series and let me know if something is not clear yet

Tom Piens

Hi @reaperPANgurus,


Good day.


I will check the guide you prepare. and will update this post.


Your assistance is highly appreciated.


Thank you very much.

I havent solve my problem and I am coordinating with our local supplier/support but i can close this ticket and will try to post later what happen on my issue

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!