Is there a way to test remote host ports from the palo alto firewall?

cancel
Showing results for 
Search instead for 
Did you mean: 

Is there a way to test remote host ports from the palo alto firewall?

L4 Transporter

Hello Palo Alto Team,

 

 

I new to Palo Alto and loving it but I am looking for PAN-OS cli commands similar to telnet, nc (netcat) or curl etc.. I have seen there is an option to do ssh source port (the scp command also supports this), can this replace the telnet source port?  From what I tested I think that the SSH without specifying the source is sourced by the managment interface but I don't see a service route for this. If I specify the source IP of a data plane interface. From what I see is if the tcp handshake works but it get dropped at application level (this is normal as I am using not the real application but SSH to check the port), I get the message "ssh_echange_identification: Connection closed by remote host", if the server does not listen to this I get the message "Connection timed out". I think that when the server silently drops it I will see "session timed out" and the pcap confirms this. If the server sends RST for the first SYN packet, I will see from the Traffic log that Server RST was seen and when it works, it will be still TCP RST by the server but after the 3-Way handshake is done or in my tests to a test dns on port 53 and ssh command I got just TCP-FIN for the session (don't forget to enable intra zone log on session end) after the 3-Way handshake and the message "ssh_echange_identification: Connection closed by remote host". Can you confirm that this is the way to test with the ssh command? I think that this is an interesting idea and if possible give me some advices.

 

ssh port x host x.x.x.x

 

ssh port x source x.x.x.x host x.x.x.x

 

4 REPLIES 4

L7 Applicator

The telnet command was taken out a long time ago. All that is left, as you already discovered, is the ssh (and ping and traceroute) command which you can source from a dataplane interface (default is management)

 

It is probably more fruitful to test from an external machine where you are able to shape packets better (udp/tcp) while performing packetcapture, monitor sessions and track global counters

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

L0 Member
@NikolayDimitrov  GarageBand PC wrote:

Hello Palo Alto Team,

 

 

I new to Palo Alto and loving it but I am looking for PAN-OS cli commands similar to telnet, nc (netcat) or curl etc.. I have seen there is an option to do ssh source port (the scp command also supports this), can this replace the telnet source port?  From what I tested I think that the SSH without specifying the source is sourced by the managment interface but I don't see a service route for this. If I specify the source IP of a data plane interface. From what I see is if the tcp handshake works but it get dropped at application level (this is normal as I am using not the real application but SSH to check the port), I get the message "ssh_echange_identification: Connection closed by remote host", if the server does not listen to this I get the message "Connection timed out". I think that when the server silently drops it I will see "session timed out" and the pcap confirms this. If the server sends RST for the first SYN packet, I will see from the Traffic log that Server RST was seen and when it works, it will be still TCP RST by the server but after the 3-Way handshake is done or in my tests to a test dns on port 53 and ssh command I got just TCP-FIN for the session (don't forget to enable intra zone log on session end) after the 3-Way handshake and the message "ssh_echange_identification: Connection closed by remote host". Can you confirm that this is the way to test with the ssh command? I think that this is an interesting idea and if possible give me some advices.

 

ssh port x host x.x.x.x

 

ssh port x source x.x.x.x host x.x.x.x

 


These only have actions for alert or block variations globally for the entire zone to which the policy is applied.  you cannot override this by a specific security policy or other means. I think your best bet is to turn the action to alert, as show above, during your test and restore the original setting afterwards.

As I tested the SSH can also do it but you need to check the Traffic logs for what was the reason for the session to be closed (in most cases intra zone log at session end needs to be enabled) and/or pcap captures. In some cases people want to check such things from the firewall not an external host but thanks for the reply.

L0 Member
  1. Navigate to Objects > Services.
  2. Click on Add to bring up the Service dialog.
  3. Configure the new service with values for Name, Protocol and Destination Port range. 

Prepaidcardstatus

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!