https://live.paloaltonetworks.com/t5/next-generation-firewall/internet-gt-pa-440-gt-asus-rt-ax53u-ax1800-error-router-does-not/m-p/573318#M2452 <P>there's a good book you can read <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>there's a lot of stuff you can do but let's start with the basics</P> <P>&nbsp;</P> <P>create 2 new layer3 zones</P> <P>&nbsp;</P> <P>i'd firstly set the interface 1/1 to layer 3 mode and set it as dhcp client. that should get you a public IP automatically from your ISP</P> <P>assign it the external zone</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_0-1705491902222.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56574i5CC05B5961A5CECF/image-size/medium?v=v2&amp;px=400" role="button" title="reaper_0-1705491902222.png" alt="reaper_0-1705491902222.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>next, set the ethernet1/2 as a layer3 interface and assign it an IP address (e.g. 192.168.50.1/24) , and enable a dhcp server on that interface, make sure you set the 192.168.50.1 IP as default route in the dhcp features</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_1-1705492035273.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56575i31910C2DD840B721/image-size/medium?v=v2&amp;px=400" role="button" title="reaper_1-1705492035273.png" alt="reaper_1-1705492035273.png" /></span></P> <P>&nbsp;</P> <P>now, it would be preferable if you can set your Asus in passthrough mode so it simply acts as an access point and not interfere with routing or additional NAT inside your network</P> <P>&nbsp;</P> <P>don't forget to create a security rule that allows your new internal zone out to your new external zone (delete the rule that was already in place, fresh starts are better)</P> <P>make sure to add your subscription profiles!</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_2-1705492213885.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56576i8980A7CFF95BBC19/image-size/large?v=v2&amp;px=999" role="button" title="reaper_2-1705492213885.png" alt="reaper_2-1705492213885.png" /></span></P> <P>and lastly, create a NAT rule for your outbound traffic:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_3-1705492271967.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56577iE959FF6CFF409453/image-size/large?v=v2&amp;px=999" role="button" title="reaper_3-1705492271967.png" alt="reaper_3-1705492271967.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>to ensure your firewall is able to fetch updates, configure it with a DNS server in the management section, then consider setting up 'service routes'&nbsp; (Device &gt; setup &gt; service &gt; service routes) attached to your ethernet1/2 (as else the updates will be fetched via your managment interface which is currently not connected to anything)</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_4-1705492548214.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56578i16511A468BA1D7C9/image-size/medium?v=v2&amp;px=400" role="button" title="reaper_4-1705492548214.png" alt="reaper_4-1705492548214.png" /></span></P> <P>&nbsp;</P> Wed, 17 Jan 2024 11:55:59 GMT reaper 2024-01-17T11:55:59Z https://live.paloaltonetworks.com/t5/next-generation-firewall/internet-gt-pa-440-gt-asus-rt-ax53u-ax1800-error-router-does-not/m-p/573298#M2449 <P>I have just purchased my first PaloAlto firewall. I am a sysadmin at a small office (about 20 people) and I am in the progress of setting up a new WiFi for my office.</P> <P>&nbsp;</P> <P>This is my equipment:</P> <P>&nbsp;</P> <UL> <LI>Firewall: <SPAN>PA-440</SPAN></LI> <LI>Router: <SPAN>Asus&nbsp;RT-AX53U AX1800</SPAN></LI> </UL> <P><SPAN>This is my current setting:</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="01 PA-440 Drawing.png" style="width: 627px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56566iD004BFDE6F63AF57/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="01 PA-440 Drawing.png" alt="01 PA-440 Drawing.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>I have managed to connect to the PA-440 firewall by setting my network cards IP to 192.168.1.2.</SPAN></P> <P>&nbsp;</P> <P><SPAN>What should I do in order to make my router get Internet? I have some screenshots of my setup here:</SPAN></P> <P>&nbsp;</P> <P><STRONG>PA-440 Dashboard</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="02 PA-440 Dashboard.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56567i444D6C90587AC63F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="02 PA-440 Dashboard.png" alt="02 PA-440 Dashboard.png" /></span></P> <P><STRONG>PA-440 Interfaces<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="03 PA-440 Interfaces.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56568i0F5494C7F4640ABD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="03 PA-440 Interfaces.png" alt="03 PA-440 Interfaces.png" /></span><BR /></STRONG></P> <P>&nbsp;</P> <P><STRONG><SPAN>Asus&nbsp;RT-AX53U AX1800</SPAN> dashboard<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="10 Asus Dashboard.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56569iC5D3FA82C88F933A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="10 Asus Dashboard.png" alt="10 Asus Dashboard.png" /></span><BR /></STRONG></P> <P>&nbsp;</P> <P><STRONG><SPAN>Asus&nbsp;RT-AX53U AX1800 </SPAN>LAN<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11 Asus LAN.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56570iC37B91ACBD15A96C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="11 Asus LAN.png" alt="11 Asus LAN.png" /></span><BR /></STRONG></P> <P>&nbsp;</P> <P><STRONG><SPAN>Asus&nbsp;RT-AX53U AX1800 </SPAN>LAN</STRONG> -<STRONG>&gt; DHCP</STRONG><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="12 Asus DHCP.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56571iBA5DA3F688F02424/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="12 Asus DHCP.png" alt="12 Asus DHCP.png" /></span></P> <P>&nbsp;</P> <P><STRONG><SPAN>Asus&nbsp;RT-AX53U AX1800</SPAN> WAN<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="13 Asus Connection.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56572iC3F4BC0118E8F63A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="13 Asus Connection.png" alt="13 Asus Connection.png" /></span></STRONG></P> <P>&nbsp;</P> Wed, 17 Jan 2024 09:00:51 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/internet-gt-pa-440-gt-asus-rt-ax53u-ax1800-error-router-does-not/m-p/573298#M2449 SoloSigma 2024-01-17T09:00:51Z https://live.paloaltonetworks.com/t5/next-generation-firewall/internet-gt-pa-440-gt-asus-rt-ax53u-ax1800-error-router-does-not/m-p/573318#M2452 <P>there's a good book you can read <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>there's a lot of stuff you can do but let's start with the basics</P> <P>&nbsp;</P> <P>create 2 new layer3 zones</P> <P>&nbsp;</P> <P>i'd firstly set the interface 1/1 to layer 3 mode and set it as dhcp client. that should get you a public IP automatically from your ISP</P> <P>assign it the external zone</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_0-1705491902222.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56574i5CC05B5961A5CECF/image-size/medium?v=v2&amp;px=400" role="button" title="reaper_0-1705491902222.png" alt="reaper_0-1705491902222.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>next, set the ethernet1/2 as a layer3 interface and assign it an IP address (e.g. 192.168.50.1/24) , and enable a dhcp server on that interface, make sure you set the 192.168.50.1 IP as default route in the dhcp features</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_1-1705492035273.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56575i31910C2DD840B721/image-size/medium?v=v2&amp;px=400" role="button" title="reaper_1-1705492035273.png" alt="reaper_1-1705492035273.png" /></span></P> <P>&nbsp;</P> <P>now, it would be preferable if you can set your Asus in passthrough mode so it simply acts as an access point and not interfere with routing or additional NAT inside your network</P> <P>&nbsp;</P> <P>don't forget to create a security rule that allows your new internal zone out to your new external zone (delete the rule that was already in place, fresh starts are better)</P> <P>make sure to add your subscription profiles!</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_2-1705492213885.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56576i8980A7CFF95BBC19/image-size/large?v=v2&amp;px=999" role="button" title="reaper_2-1705492213885.png" alt="reaper_2-1705492213885.png" /></span></P> <P>and lastly, create a NAT rule for your outbound traffic:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_3-1705492271967.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56577iE959FF6CFF409453/image-size/large?v=v2&amp;px=999" role="button" title="reaper_3-1705492271967.png" alt="reaper_3-1705492271967.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>to ensure your firewall is able to fetch updates, configure it with a DNS server in the management section, then consider setting up 'service routes'&nbsp; (Device &gt; setup &gt; service &gt; service routes) attached to your ethernet1/2 (as else the updates will be fetched via your managment interface which is currently not connected to anything)</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_4-1705492548214.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56578i16511A468BA1D7C9/image-size/medium?v=v2&amp;px=400" role="button" title="reaper_4-1705492548214.png" alt="reaper_4-1705492548214.png" /></span></P> <P>&nbsp;</P> Wed, 17 Jan 2024 11:55:59 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/internet-gt-pa-440-gt-asus-rt-ax53u-ax1800-error-router-does-not/m-p/573318#M2452 reaper 2024-01-17T11:55:59Z https://live.paloaltonetworks.com/t5/next-generation-firewall/internet-gt-pa-440-gt-asus-rt-ax53u-ax1800-error-router-does-not/m-p/573352#M2460 <P>Thank you for your help Reaper. Now my office have Internet via the PA-440 firewall. </P> Wed, 17 Jan 2024 18:37:11 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/internet-gt-pa-440-gt-asus-rt-ax53u-ax1800-error-router-does-not/m-p/573352#M2460 SoloSigma 2024-01-17T18:37:11Z