Allow RDP through Palo Alto Firewall
May 5, 2019
A vendor wants to have remote access to your Windows server with internal IP of 192.168.1.14. You need to configure your firewall to allow remote access to that server from that particular vendor's IP address.
First of all, do not do this! Again, please do not do this.
A more secured way is to set up a RD Gateway or only use RDP over VPN.
If you still want to open up RDP through your Palo Alto firewall, then here is how to do it.
Background Info
Security Appliance: Palo Alto Networks PA-220
PAN-OS version: 8.1.10
Public IP: 40.112.72.205
Vendor's IP: 176.32.98.166
Add RDP Service
Objects → Services
First of all, do not do this! Again, please do not do this.
A more secured way is to set up a RD Gateway or only use RDP over VPN.
If you still want to open up RDP through your Palo Alto firewall, then here is how to do it.
Background Info
Security Appliance: Palo Alto Networks PA-220
PAN-OS version: 8.1.10
Public IP: 40.112.72.205
Vendor's IP: 176.32.98.166
Add RDP Service
Objects → Services
Name : RDP
Protocol : TCP
Destination-Port : 3389
Source-Port : 1-65535
Add a Port Translation NAT Policy
Policies → NAT
Name : Incoming RDP
Tag : Outside
Source-Zone : Untrust-L3
Destination-Zone : Untrust-L3
Destination-Interface : Ethernet1/1
Service : RDP
Destination-Address : 40.112.72.205
Source-Translation-Type : None
Destination
--Translation-Type : Static IP
--Translated-Address : 192.168.1.14
--Translated-Port : 3389
Add a Security Policy
Policies → Security
Name : Incoming RDP
Tag : Outside
Rule-Type : Universal
Source-Zone : Untrust-L3
Source-Address : 176.32.98.166
Destination-Zone : Trust-L3
Destination-Address : 40.112.72.205
Service : RDP
Action : Allow
In this security policy, I'm limiting the RDP access to just one IP: 176.32.98.166
Also, you can specify the Application to be ms-rdp and set the Service to any.
That's it. You have now created a rule to allow remote access from 176.32.98.166 to your application server.