11-07-2022 04:10 PM
Hi beautiful People,
I am trying to give permission to external IP address to access one of my server in the network. How can i give permission from Palo alto firewall. I have PA-3220 model of Palo alto.
Please kindly give me solution to this.
And also how can I disable AGL SIP on that?
11-07-2022 04:53 PM
Hi,
Unsure what version of PanOS you are running, but the KB article below should be enough to guide you to where you can disable SIP ALG.
How to Disable SIP ALG - Knowledge Base - Palo Alto Networks
With regards to allowing an external IP access to one of your internal servers, this will likely involve both a Security policy rule and a NAT policy rule. It may not be the best solution from a security perspective though.
I would ask that you provide a little more information before doing this so that we can understand the context of what you are trying to achieve.
Thanks,
Dave
11-07-2022 07:24 PM - edited 11-10-2022 07:37 PM
This is The Job request I got for Ip addressing part please:-
a new Ecommerce server is setup and the traffic from the new external server to the trusted internal server is blocked.
Traffic from the new server to the internal server should be allowed, How do you suggest on it?
11-07-2022 07:56 PM
Hello @lprasad , publishing the server is easy.
Now you must create a NAT.
A destination NAT:
Source zone Untrust/WAN, destination Zone WAN/Untrust ( The WAN or Untrust zone you have defined in your AP ).
Destination Address: Here you must point to the public IP that you are going to use to publish your service, for example the IP of your Public Interface or another IP that you define. Then in Translated Packet Destination Translate there you set the Private IP, the internal IP of your server is 192.168.0.20 I understand, according to what you have mentioned in the Post.
Now, after you have the destination NAT policy created, you must apply the security policy.
Source Zone Untrust/WAN, in destination the final destination zone example DMZ or Trust or Internal or LAN, according to how you have it defined in your firewall. Then in address destination, you must put the public IP not the private IP, but the public IP that you are using to publish the server and service. Now in the service section, there, I recommend you only in the security rule/policy, put at Service level only the ports that you are going to publish, example Service-https ( if you are going to publish 443 ) and/or other services example Service-8080 ( You create the service example 8080/TCP ) or Service-8083 ( Same TCP/8083 ). The latter in order to only publish the strictly necessary ports and services. For example you do not want to publish RDP if it is a windows server, or 22 if it is a Linux/Unix server or some administration port that should only be limited internally. Depending on the level of subscriptions that your Firewall has, I recommend you to apply security profiles such as VP, Antivirus, Wildfire.
Support links:
https://www.packetswitch.co.uk/palo-alto-nat-example/#:~:text=Source%20NAT%20is%20used%20for,private%20network%20to%20the%20Internet .
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-...
Best regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
