This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to ccortijo

‎11-24-2023 11:35 PM

Hi @ccortijo ,

 

The last rule, which should allow access to your DMZ server, still needs to be corrected. It should match destination address 192.168.1.2. This is little trick when you first start working with PAN firewalls, but I believe at some point you will understand it make a lot of sense:
When creating security rule you need to use post-NAT zone with pre-NAT addresses. That is because NAT is being "evaluated" first, before policy lookup, and NAT is applied after finding matching rule, little before traffic exit the firewall.

For the same reason NAT rule needs to use pre-NAT zones (because it needs to match the traffic using the original addresses).

 

So back to your case your NAT and security rule for the DMZ and GP should look like:

GP:

- Security: source zone=WAN-CYBER; dest zone=WAN-CYBER; source addr=any;  dest address=192.168.1.2

- NAT: source zone=WAN-CYBER; dest zone=WAN-CYBER; source addr=any; dest addr=192.168.1.2; service=tcp/7000

 

DMZ server:

- Security: source zone=WAN-CYBER; dest zone=DMZ-Servidur; source addr=any; dest address=192.168.1.2

- NAT: source zone=WAN-CYBER; dest zone=WAN-CYBER; source addr=any; dest addr=192.168.1.2; service=any

 

 

Back to your GP - NAT and security rules looks good to me, however it looks like the NAT doesn't any hit, which makes me believe no traffic for 192.168.1.2 on prot 7000 is hitting the firewall.

- How are you testing the access to GP? Can you try to open the public IP with simple web browser https://<public-ip>:7000

Do you receive login page? If yes are you able to authenticate.

- Check your unified logs, filtering by (port.dst eq 7000), if too many noise add filter for (addr.dst in 192.168.1.2). Do you see your attempts? If yes, is traffic being allowed? If you expand log details, do you see NAT being applied?

 

In addition:

- Did you move  the GP to loopback.1 as I suggested?

- I notided you have applied  MGT interface profile on the loopback. What services have you enabled for that profile? Does HTTPS being enabled? If yes, you really don't have to. Int profile with HTTPS is only to enable webUI admin interface and not required to enable GP. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbUCAS

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks