04-20-2020 03:26 AM
Adding a bidirectionnal NAT rule for an ssl web server and the according security rule, connections from outside are dropped as "Incomplete". Traffic capture show that first SYN packet received is directly rejected by PA with a RST response. What does it mean ?
04-20-2020 08:43 AM - edited 04-20-2020 08:47 AM
Is it possible to share traffic logs for affected traffic? Also is it app-id based security policy ?
As you said in your post, you have bi-directional NAT and you are facing issues with connections from outside on one ssl web server. You are trying to externalize web-server probably on 443 port. As session is seems to be incomplete, just check if web-service is running on server that you want to externalize. Check if you are able to telnet internal server on web-service port from LAN. As you are seeing incomplete session, most of the time it happens when there is no response from the server. That's why i asked to check reverse routing for web server subnet on firewall and application running status on web server.
04-20-2020 10:51 AM
Agreed with @SutareMayur .
Most of the time session shows incomplete when there is no reply back from server side. Routing issues mostly causes this.
04-21-2020 01:23 AM
Thanks for your time. As I mentionned in a previous post, I think we don't have any issue with routing and service is up and running:
* I can ping server from appliance
* show routing route gives a correct route for my internal subnet
* from server, I'm able to browse Internet using the external NAT IP choosen for service
* from internals subnets, I can access the https service on the server (nginx)
When I capture the traffic I can see RST tcp packet immediatly send by PA on external interface and nothing on the internal interface.
04-21-2020 08:16 PM
It is always safer to create 2 NAT policies for DNAT and SNAT than bi-direcitonal.
If you check bi-directional NAT rule in cli you can see that for DNAT source zone will be "any".
For your TCP RST problem. Most likely your security policy is incorrect.
Are you using pre-nat IP and post-nat zone in security policy?
04-22-2020 03:37 AM
Thank you very much for your advice on NAT rules.
After another check of our configuration, it seems that another host in the same NML subnet not crossing the Palo appliance was using the same IP address ... Everything works as expected now, sorry for the time spent on this obvious problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!