How do I enable ping to a non-mgmt IP address?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How do I enable ping to a non-mgmt IP address?

L1 Bithead

Hello,

I'm trying to enable ping to an external address that is not assigned to an interface? Is this possible? This address is used for NAT'ing purposes or to access an internal server.


I've done the following but I'm still not able to ping the address/server:

1. allow application ping from internet to my external ip.

Am I missing anything?

Thanks

1 accepted solution

Accepted Solutions

L6 Presenter

If you have setup DNAT then enabling ping towards the (in your case) server should be the same way as when you enable other types of traffic.

If you want a physical interface of your PA box to reply to ping you need to setup a management profile where you only select "ping" and then attach this profile to that particular physical interface. Im not sure if you need a security rule aswell or not.

View solution in original post

5 REPLIES 5

L6 Presenter

If you have setup DNAT then enabling ping towards the (in your case) server should be the same way as when you enable other types of traffic.

If you want a physical interface of your PA box to reply to ping you need to setup a management profile where you only select "ping" and then attach this profile to that particular physical interface. Im not sure if you need a security rule aswell or not.

L5 Sessionator

To add to mikand, this traffic needs intra-zone security rule typically Untrust-to-Untrust which is permitted by the firewall by default,unless we have a any-any deny-all rule configured.

Interface will proxy-arp for all the addresses lying in it's subnet.So adding an interface-management profile allowing ping service should take care of things .

Please refer  :https://live.paloaltonetworks.com/docs/DOC-2998#cf

L1 Bithead

Thanks guys. Let me try these out and get back to you with results.

Appreciate the help!

L1 Bithead

Thanks guys, it seems like it is working. Thank you for that. The only concern that I have is I'd have to have a NAT rule that has the service any for this to work. How do I further restrict this so that only ping is allowed on the NAT rule? Is this possible?

NAT Rule looks like this:

Source [Untrust IP]

Destination [Untrust IP]

Service [Any]

Translated Address: [Internal Server IP]

Security Rule looks like this:

Source [Untrust IP]

Destination [Untrust IP]

Application [ping]

Action [Allow]

Security Rule ::

Source Zone [Untrust IP]

Destination Zone [Trust]

Source IP [any]

Destination IP  [Untrust IP - Original destination Ip/Non_translated IP]

Application [ping]

Action [Allow]

N.B:Please make sure this specific rule is above other generic rules with context -Source Zone[Trust]  -Destination Zone [Trust].

Refer ::  https://live.paloaltonetworks.com/docs/DOC-1517

  • 1 accepted solution
  • 4714 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!