https://live.paloaltonetworks.com/t5/next-generation-firewall/issues-with-traffic-passing-through-vwire/m-p/1219139#M5485 <P>hi guys, i'm trying to set up a new Palo Alto firewall, a PA 440, for a customer. But they want minimal impact on their network and don't want to change anything, so i proposed setting up a vWire so they change nothing and can benefit from the inspection features of the new Palo box.</P> <P>pretty much here's how it kinda looks like:</P> <P>ISP Router --&gt; Core Switch --&gt; PA 440 --&gt; Existing Firewall --&gt; LAN</P> <P>Following the official documentation, i set up 2 vWire interfaces with a zone for each and i create a policy to allow everything, with just antivirus and vulnerabilty profile activated, the idea being i'll tighten it later</P> <P>but there is no connectivity to the internet: pings are not responsive and websites don't load. in the monitor logs, i see all requests are allowed, but they all say application is incomplete</P> <P>what have i missed ?</P> Mon, 03 Feb 2025 19:45:46 GMT D.Sine 2025-02-03T19:45:46Z https://live.paloaltonetworks.com/t5/next-generation-firewall/issues-with-traffic-passing-through-vwire/m-p/1219139#M5485 <P>hi guys, i'm trying to set up a new Palo Alto firewall, a PA 440, for a customer. But they want minimal impact on their network and don't want to change anything, so i proposed setting up a vWire so they change nothing and can benefit from the inspection features of the new Palo box.</P> <P>pretty much here's how it kinda looks like:</P> <P>ISP Router --&gt; Core Switch --&gt; PA 440 --&gt; Existing Firewall --&gt; LAN</P> <P>Following the official documentation, i set up 2 vWire interfaces with a zone for each and i create a policy to allow everything, with just antivirus and vulnerabilty profile activated, the idea being i'll tighten it later</P> <P>but there is no connectivity to the internet: pings are not responsive and websites don't load. in the monitor logs, i see all requests are allowed, but they all say application is incomplete</P> <P>what have i missed ?</P> Mon, 03 Feb 2025 19:45:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/issues-with-traffic-passing-through-vwire/m-p/1219139#M5485 D.Sine 2025-02-03T19:45:46Z https://live.paloaltonetworks.com/t5/next-generation-firewall/issues-with-traffic-passing-through-vwire/m-p/1219401#M5492 <P>Hello,</P> <P>Most of the time when I see the application as 'unknown' its a connectivity issue. Also I would suggest putting the PAN between the existing firewall and the clients so you can see that traffic and build policies on it. Also make sure your policie(s) allow traffic in both directions.</P> Tue, 04 Feb 2025 20:02:50 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/issues-with-traffic-passing-through-vwire/m-p/1219401#M5492 OtakarKlier 2025-02-04T20:02:50Z https://live.paloaltonetworks.com/t5/next-generation-firewall/issues-with-traffic-passing-through-vwire/m-p/1221914#M5603 <P><SPAN>just to give a quick update: in the end i added the VLAN tags to the vWire, and also had to create a Zone Protection Profile and set TCP Non-SYN Packet rejection to No. apparently it is an asymetric routing issue, see this kb for details:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSHCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSHCA0</A></SPAN></P> Tue, 25 Feb 2025 13:24:16 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/issues-with-traffic-passing-through-vwire/m-p/1221914#M5603 D.Sine 2025-02-25T13:24:16Z