Is there a way to test remote host ports from the palo alto firewall?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is there a way to test remote host ports from the palo alto firewall?

L6 Presenter

Hello Palo Alto Team,

 

 

I new to Palo Alto and loving it but I am looking for PAN-OS cli commands similar to telnet, nc (netcat) or curl etc.. I have seen there is an option to do ssh source port (the scp command also supports this), can this replace the telnet source port?  From what I tested I think that the SSH without specifying the source is sourced by the managment interface but I don't see a service route for this. If I specify the source IP of a data plane interface. From what I see is if the tcp handshake works but it get dropped at application level (this is normal as I am using not the real application but SSH to check the port), I get the message "ssh_echange_identification: Connection closed by remote host", if the server does not listen to this I get the message "Connection timed out". I think that when the server silently drops it I will see "session timed out" and the pcap confirms this. If the server sends RST for the first SYN packet, I will see from the Traffic log that Server RST was seen and when it works, it will be still TCP RST by the server but after the 3-Way handshake is done or in my tests to a test dns on port 53 and ssh command I got just TCP-FIN for the session (don't forget to enable intra zone log on session end) after the 3-Way handshake and the message "ssh_echange_identification: Connection closed by remote host". Can you confirm that this is the way to test with the ssh command? I think that this is an interesting idea and if possible give me some advices.🙂

 

ssh port x host x.x.x.x

 

ssh port x source x.x.x.x host x.x.x.x

 

8 REPLIES 8

Cyber Elite
Cyber Elite

The telnet command was taken out a long time ago. All that is left, as you already discovered, is the ssh (and ping and traceroute) command which you can source from a dataplane interface (default is management)

 

It is probably more fruitful to test from an external machine where you are able to shape packets better (udp/tcp) while performing packetcapture, monitor sessions and track global counters

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

As I tested the SSH can also do it but you need to check the Traffic logs for what was the reason for the session to be closed (in most cases intra zone log at session end needs to be enabled) and/or pcap captures. In some cases people want to check such things from the firewall not an external host but thanks for the reply.

Sorry for the late reply but I couldn't help myself while researching this thread.

Sure it's definitely more fruitful to test from an external machine... but when it's 3AM local time and you're barely awake dealing with an on-call issue my god is it helpful to have a command like this that can test port functionality directly on the firewall.  This is the kind of feature that engineers who work in the trenches think about when looking at purchase decisions.  

Try the SSH tool as I mentioned till maybe Palo Alto adds something more simple that is just for this job.

100% agree - I get extremely annoyed at how tooling like netcat (nc) and traceroute cannot be used when tracing traffic. 

 

For newer people to firewall management Palo Alto is so foreign, and clunky. If I had the choice I would never recommend their products, because to troubleshoot with it is not intuitive to a native *Nix administrator. 

I wouldn't go that far as the other firewall vendors have soo many bugs or add new features that never worked and palo alto is stable even if some stupid commands are missing

You have clearly not worked with Fortinet

Cyber Elite
Cyber Elite

Hello,

I let the firewall e a firewall and use other tools for what I need. If I need something scanned, I'll use a scanner on a system that I know works. This way I can see the traffic in the logs. Visibility is key I think.

 

Regards,

  • 35305 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!