Allow RDP through Palo Alto Firewall

May 5, 2019
A vendor wants to have remote access to your Windows server with internal IP of You need to configure your firewall to allow remote access to that server from that particular vendor's IP address.

First of all, do not do this! Again, please do not do this.
A more secured way is to set up a RD Gateway or only use RDP over VPN.

If you still want to open up RDP through your Palo Alto firewall, then here is how to do it.

Background Info
Security Appliance: Palo Alto Networks PA-220
PAN-OS version: 8.1.10
Public IP:
Vendor's IP:

Add RDP Service
Objects → Services

Name             : RDP
Protocol         : TCP
Destination-Port : 3389
Source-Port      : 1-65535

Add a Port Translation NAT Policy
Policies → NAT

Name                    : Incoming RDP
Tag                     : Outside
Source-Zone             : Untrust-L3
Destination-Zone        : Untrust-L3
Destination-Interface   : Ethernet1/1
Service                 : RDP
Destination-Address     :
Source-Translation-Type : None
--Translation-Type      : Static IP
--Translated-Address    :
--Translated-Port       : 3389

Add a Security Policy
Policies → Security

Name                : Incoming RDP
Tag                 : Outside
Rule-Type           : Universal
Source-Zone         : Untrust-L3
Source-Address      :
Destination-Zone    : Trust-L3
Destination-Address :
Service             : RDP
Action              : Allow

In this security policy, I'm limiting the RDP access to just one IP:
Also, you can specify the Application to be ms-rdp and set the Service to any.

That's it. You have now created a rule to allow remote access from to your application server.