This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

SSL VPN Portal Page

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL VPN Portal Page

ajripa
Not applicable

‎02-28-2011 02:17 PM

Hi guys,

I'm trying to set up ssl vpn on PAN. I would like to know which security policies are necessary to make the portal work.

My actual rule is:

Source Zone: untrust

Destination Zone: untrust

Source Address: any

Source User: any

Destination Address: public ip

Application: ssl, ipsec, panos-web-interface, web-browsing

Service: application-default

If I use "any" as service, the portal is shown, I can log in and the tunnel works, but using the above rule the portal doesn't work. Inspecting the log I can see that traffic is denied by the default block rule.

deny untrust untrust addr.src addr.dst 22735      443 addr.src.nat addr.dst.nat 22735      20077      tcp      web-browsing      deny default_block

Addr.src = addr.scr.nat

Addr.dst = addt.dst.nat

Somehow port 443 is mapped by some kind of nat to port 20077 so I suppose that I have to open it. Which port range should be opened?

Thanks!

0 Likes Likes
3 REPLIES 3

skrall
L4 Transporter

‎03-02-2011 12:24 AM

Initially you only need to alow SSL and IPSEC from untrust to untrust.  What is the zone for your tunnel interface? If it is something other than untrus or trus you will need to create rules that allow from the untrust to the VPN-Zone and VPN-Zone to trust.  Use the CLI commands to see which rule is dropping your traffic.

show session all filter source <ip_of_test_pc>

This should show you at least one session, app = ssl, and some ID number.

Then look at the ID.

Show session id xxxxx

This will show you the ingress and egress  interfaces and the security rule that allowed or dropped the packets.

If this is not enough then you will need to open a support ticket.

Steve Krall

0 Likes Likes

ajripa
Not applicable
In response to skrall

‎03-27-2011 10:18 AM

I had a Block_All rule defined for logging reasons. This rule overruled the default intrazone-allow-rule and avoided the properly working of the vpn portal page.

0 Likes Likes

PierreJvR
L1 Bithead

‎03-31-2011 12:47 PM

The reason your portal page is being blocked when using application default for the service is that the web-browsing application traffic is on port 443 for the ssl vpn portal and not the default of 80/8080. See this post: https://live.paloaltonetworks.com/docs/DOC-1198 as to why.

The way I got around it was to create a service for the IPSec traffic, called it service-ipsec on UDP 4500-4501 and then use specific services, i.e. service-http, service-https & service-ipsec, instead of application default or any.

0 Likes Likes
  • 4079 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks