03-03-2019 01:54 AM
Hi ,
How to configure PAN to allow for the SFTP traffic over public ip.
Thanks
KM
03-03-2019 01:06 PM
From internal to the internet or from the internet to a host in your internal network?
In both cases you need a NAT rule and a security policy rule that allows ssh.
03-03-2019 10:49 PM
Thanks for your reply , I am new to this process.
Working on a task to migrate existing DMZ traffic from ASA to Palo alto.
03-09-2019 09:43 AM
What exactly do you try to configure? Allow sftp from internal/dmz to the internet or from the internet to an internal or dmz server? If from internet, does your server have a punlic or private IP?
In order to let the community help you need to give us some more informations about the situation.
03-11-2019 05:13 AM
Hi,
Configuration to allow aftp from dmz to internet .
Thanks
KM
03-11-2019 10:15 AM
Does your DMZ server have a private IP? If yes then you need a security policy rule that allows ssh from your DMZ server zone and IP to the internet. In addition you need a NAT rule with the source your dmz server zone/ip as source and the internet zone as destination. In the translated address tab configure dynamic ip and port and interface IP. There you chose your internet facing interface and the corresponding IP.
03-14-2019 04:49 AM - edited 03-14-2019 05:20 AM
Hi,
I did create a NAT policy where both source and destination are untrust zones, source - any, destination is public ip and destination address translation is private IP ( sftp Ip ) . hope I am right.
policy :
source : untrust , ip address : any
destination : trust , ip address :not sure which IP i sho uld give sftp private IP or public ip .
application : any , service : sftp , action allow
Thanks
KM
03-14-2019 02:12 PM
Hello,
Check out this article, it may help out:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC
Regards,
03-18-2019 05:49 AM
Hello,
Thanks for the link... I read few documents
Looks like this will exactly serve my purpose.
I am adding new external ip (public ip) and point it to the existing sftp ip (private ip ) . Correct me if I am wrong.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
