09-14-2016 03:07 AM
Hi,
my colleague requested for some server to communicate to outside server (internet) using sftp. but they want to use port 9122.
on the firewall rule i cannot find the way how to do it. i know sftp i using ssh port 22. i tried defining port 9122 and ssh as application but it doesnt work. anybody have any idea? tia
chris
09-14-2016 03:30 AM
Hi,
Did you try this?
So you need to have a custom application and override policy in place.
Cheers,
Myky
09-14-2016 03:30 AM
Hi,
Did you try this?
So you need to have a custom application and override policy in place.
Cheers,
Myky
09-14-2016 05:43 AM
When you specified the application SSH and specified the port tcp/9122 what did your deny logs say?
If Palo is seeing the traffic as SSH and it's in-fact communicating out via 9122 you shouldn't need to create a custom application.
09-14-2016 06:18 AM - edited 09-14-2016 06:36 AM
Agreed. Sorry didnt read properly. Check logs, do PCAP if needed and add that port to the security policy service tab with SSH app
09-14-2016 07:06 PM
hi guys, thanks for the reply. more info below. currently the setup is :
local server<-> palo alto vlan interface (dmz zone) <-> internet (public ip/26)<-> remote server
i have an NAT rule as below:
source ip = local server ip
source zone = dmz
dest zone = internet
destination address = any
destination interface = any
service = any
translation type = static
destination trasnlation = none
on the firewall rule i have :
source ip = local server
dest ip = remote server ip
source zone = dmz
dest zone = internet
application = any
service = specified as 9122
at this setup, if the server initiate sftp it doesnt even go thru the internet zone. if i filter the traffic in monitor i can see its going thru dmz then inside(another zone on the firewall) to our AD server. probably coz of dns. but if i set the firewall rule service to "any". it is working. so far i tried :
set application as ssh , service port as 9122 = doesnt work
created custom application with port 9122 but doesnt work. (but maybe my config is wrong)
09-14-2016 08:55 PM
When you set the service to "any" what does the traffic log say the tcp port was?
09-14-2016 09:44 PM
Hi Brandon,
the traffic log shows its using port 9122 and ssh is the application. which to me is correct since SFTP is an FTP using ssh on port 22:
but on my setup we wanted to force sftp to work with 9122. but the system doesnt allow to modify ssh default port which is 22. this is what im tryng to find out whether there is a way to do it. thanks
09-15-2016 12:28 AM
Hi,
I am a bit confused now.
1) Are your servers running SFTP on the port 9122? So both listening on the port 9122.
2) In you NAT configuration. Do you want both sides to initiate a connection, if yes use the bi-directional option in the NAT and policy appropriate policy.
On the Palo if you specified SSH as app and port 9122 it should allow traffic on this port. If it does not work create a custom application with policy override. Just custom application wouldn't work
How about to do run PCAP on the firewall and, create a filter so you can see only communication between the servers.
09-15-2016 01:09 AM
Hi tranceforlife, oh sorry if my details is confusing.
1. the machine on our side is the one initiating the SFTP. and we use telnet to test..telnet x.x.x.x 9122
2. as said the machine on our side is the one initiating the sftp, but by the way i already ticked the bidirctional option
sorry im quite new on this firewalling (esp palo alto) so im strugling doing this =(
09-15-2016 01:25 AM - edited 09-15-2016 02:48 AM
Hi,
No worries. That is explained why it didnt work when you use ssh in app tab and port 9122. Because you actually used telnet app to test it. When you changed to any it did work. So l would suggest use putty or use actually ssh (you can change default port l belive in CLI on any system for test) to run actually ssh and test with custom port 9122.
09-15-2016 01:50 AM
i just tried the custom application with policy override but no luck. i followed this one
09-15-2016 02:07 AM - edited 09-15-2016 06:51 AM
Hi,
Could you please tell me what exactly didnt work?
1) Traffic was denied?
2) You didnt get reply from the server?
3) Traffic hitting wrong rule?
Can you talk to the server? I think the option would be to create any any to make sure you can actually talk to it (ping the server)
and after we will go futher
09-15-2016 02:35 AM
sorry to confuse with my sentence. actually we are using both telnet and filzilla to test. everytime i did some change. but both doesnt work. if set to any any no problem both using telnet and filezilla to test.
09-15-2016 02:58 AM
oh sweet **bleep**!!!its working now haha. the custom application works. its just that i didnt choose "application-default" on the service portion. after i changed it, tested working =)..so this link is working.
thanks a lot for all who replied on this ! really really appreciate it. God bless u all
09-15-2016 05:02 AM
so after taking out the service object for 9122 and replacing it with app-default it started working ?
if you look at the properties of the service object, does it look like this:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
