This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Setting Up MS DirectAccess

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Setting Up MS DirectAccess

jharlow
L3 Networker

‎05-12-2017 11:14 AM

Trying to configure DireectAccess (Windows Server) to work but I believe it is failing due to the Palo Alto. I created a custom application and application override for the ports needed but still failing. Per a Microsoft Document, "the firewall has to be configured to pass the traffic through transparently. you cannot NAT the traffic".  How do I do this?  Anyone else experience using DA (more so with DA is behind the PA firewall)? 

 

Thanks, 

0 Likes Likes
3 REPLIES 3

Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-16-2017 03:09 PM - edited ‎05-16-2017 03:10 PM

I have not set up DirectAccess but few ideas.

Do you have dedicated public IP for DA?

If yes then can you set up bi-directional NAT with Service Any.

Permit all traffic from specific source IP you attempt to connect from to this DA IP.

Review logs. What applications do you see in use?

Disable app-overrides temporarily to see how Palo identifies this traffic.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

jharlow
L3 Networker
In response to Raido_Rattameister

‎05-17-2017 06:42 AM

DA does have a public IP. The PA is currently setup as a vwire, so NAT is handled by our Cisco ASA. I have all of the ports enabled correctly on the ASA).  As far as the PA, I created application overrides for all of the ports. One thing I noticed and I know this is the default since version 7 ( I believe); the policy for "Inbound Traffic" has application-Default as a service type. Should I change this to any and see if that solves the issue (instead of trying to figure out application overrides)?

 

You mention premit all traffic from the source IP. Is that as in creating a new policy with that source IP and set any as service and allow?  

 

Sorry, still a newbie to PAN.  Thanks. 

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite
In response to jharlow

‎05-17-2017 07:19 AM - edited ‎05-17-2017 07:32 AM

Yes if you know public ip of client who tries to communicate then create policy where source zone is wan, source ip is client ip, application is any and service is any.

 

And share logs what you see Monitor > Traffic.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes
  • 3393 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks