Web Interface access from Internet

Reply
Highlighted
L3 Networker

I looked port 443 (nothing) , and 22 (where I am actually connected)

admin@PA-200-1> show session all filter destination-port 443

No Active Sessions

admin@PA-200-1> show session all filter destination-port 22

--------------------------------------------------------------------------------

ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                          Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

19243        ssh            ACTIVE  FLOW       y.y.y.y[39267]/WAN-zone/6  (y.y.y.y[39267])

vsys1                                          x.x.x.x[22]/WAN-zone  (x.x.x.x[22])

......

L6 Presenter

write a temporary rule, and try to access.it will be better

configure

set rulebase security rules TEST from WAN to WAN source (your ip address which you try to access now) destination X.X.X.X(fw address) action allow

move rulebase security rules TEST top

commit

Highlighted
L5 Sessionator

Hi Niuk,

Do you have a NAT for the outside interface ip? Can you check your NAT policy to see if you are translating anything on 443?

Highlighted
L3 Networker

I moved below to TOP and committed

set rulebase security rules TEST from WAN-zone to WAN-zone source any destination x.x.x.x action allow service service-https application any

rulebase {

            security {

              rules {

                TEST {

                  from WAN-zone;

                  to WAN-zone;

                  source any;

                  destination x.x.x.x;

                  action allow;

                  service service-https;

                  application any;

but no difference , maybe I should do service application-default , and application ssl

application ssl;

service application-default;

Highlighted
L3 Networker

no NAT

Highlighted
L5 Sessionator

If there is no NAT and security policy allows any source to connect to firewall's IP on 443 and if we still don't see any sessions on firewall. Next step would be take pcap on the firewall and see 443 packets are making it upto the firewall?

How to Run a Packet Capture

See if packets are even making it to the outside interface. Thank you.

Highlighted
L7 Applicator

Hello Niuk,

You can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.


>  If there is an session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc.

verify the global counters, if a specific "DRP" counter is increasing rapidly. The command show counter global provides information about the processes/actions taken on the packets going through the device; if they are dropped, nat-ed, decrypted etc.  These counters are for all the traffic going through the device and are useful in troubleshooting issues; like poor performance, packet loss, latency etc. It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data.

For more information, you can follow the DOC What is the Significance of Global Counters?

> You can enable FLOW BASIC feature to understand the exact reason behind the failure:

> debug dataplane packet-diag clear all

> debug dataplane packet-diag set filter match source  IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION

> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination  IP_ADD_OF_THE_TESTING_PC

> debug dataplane packet-diag set log feature flow basic

> debug dataplane packet-diag set log feature tcp all

> debug dataplane packet-diag set filter on

> debug dataplane packet-diag set log on


~~~~~~~~~~~~~~~~ Initiate traffic ( try to access the management interface) ~~~~~~~~~~~~~~~~~~~~~~~~~

> debug dataplane packet-diag set log off

> debug dataplane packet-diag aggregate-logs

> less mp-log pan_packetdiag_log.log

For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands

Hope this helps.

Thanks

Highlighted
L3 Networker

The fix was to access web gui on port 4443....I have Global Protect configured, and  believe or not , GP swings system https port to 4443

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!