@NikolayDimitrov GarageBand PC wrote: Hello Palo Alto Team, I new to Palo Alto and loving it but I am looking for PAN-OS cli commands similar to telnet, nc (netcat) or curl etc.. I have seen there is an option to do ssh source port (the scp command also supports this), can this replace the telnet source port? From what I tested I think that the SSH without specifying the source is sourced by the managment interface but I don't see a service route for this. If I specify the source IP of a data plane interface. From what I see is if the tcp handshake works but it get dropped at application level (this is normal as I am using not the real application but SSH to check the port), I get the message "ssh_echange_identification: Connection closed by remote host", if the server does not listen to this I get the message "Connection timed out". I think that when the server silently drops it I will see "session timed out" and the pcap confirms this. If the server sends RST for the first SYN packet, I will see from the Traffic log that Server RST was seen and when it works, it will be still TCP RST by the server but after the 3-Way handshake is done or in my tests to a test dns on port 53 and ssh command I got just TCP-FIN for the session (don't forget to enable intra zone log on session end) after the 3-Way handshake and the message "ssh_echange_identification: Connection closed by remote host". Can you confirm that this is the way to test with the ssh command? I think that this is an interesting idea and if possible give me some advices. 🙂 ssh port x host x.x.x.x ssh port x source x.x.x.x host x.x.x.x These only have actions for alert or block variations globally for the entire zone to which the policy is applied. you cannot override this by a specific security policy or other means. I think your best bet is to turn the action to alert, as show above, during your test and restore the original setting afterwards.
... View more