https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-ping-palo-alto-interface-connectivity-appears-one/m-p/1238063#M6297 <P><SPAN>we checked and didn''t create any custom "deny all" rule placed above the default intrazone-default rule</SPAN></P> Tue, 16 Sep 2025 11:24:39 GMT jahidur27 2025-09-16T11:24:39Z https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-ping-palo-alto-interface-connectivity-appears-one/m-p/1238029#M6294 <P>We are working with a client who has a network setup where a Palo Alto firewall is connected to a Check Point firewall. The client reports that they are unable to ping the IP address of the Palo Alto firewall's interface ethernet1/8.</P><H3>Troubleshooting Steps Performed:</H3><OL><LI><P><STRONG>Initial Test Between Firewalls:</STRONG></P><UL><LI><P>The Palo Alto firewall is connected to the Check Point firewall via interface ethernet1/8 (on Palo Alto) to ethernet1/13 (on Check Point).</P></LI><LI><P>We are unable to ping the Palo Alto interface IP (ethernet1/8) from the Check Point firewall.</P></LI><LI><P>However, traffic is confirmed to be flowing through this interface (via monitoring/logs), indicating Layer 2/3 connectivity is at least partially functional.</P></LI></UL></LI><LI><P><STRONG>Direct Laptop Connection for Testing:</STRONG></P><UL><LI><P>A laptop was connected directly to the Palo Alto ethernet1/8 interface and configured with an IP in the same subnet.</P></LI><LI><P>The laptop was <STRONG>unable to ping</STRONG> the interface IP of ethernet1/8.</P></LI></UL></LI><LI><P><STRONG>Check Point Verification:</STRONG></P><UL><LI><P>The same laptop was then connected to the Check Point interface ethernet1/13 and could successfully ping the Check Point firewall IP, confirming the laptop’s configuration and connectivity are fine.</P></LI><LI><P>This suggests the issue lies with the Palo Alto firewall interface, not the cabling or endpoint.</P></LI></UL></LI><LI><P><STRONG>Testing with Alternate Interface:</STRONG></P><UL><LI><P>We assigned a new subnet to a different Palo Alto interface (ethernet1/5) and connected the laptop directly.</P></LI><LI><P>The result was the same – the interface was <STRONG>not responding to pings</STRONG>, despite being up and assigned a valid IP.</P></LI></UL></LI></OL><H3>Additional Information:</H3><UL><LI><P><STRONG>Ping response (Management Profile)</STRONG> is enabled on both interfaces (ethernet1/8 and ethernet1/5) as confirmed in the Palo Alto configuration.</P></LI><LI><P>Physical interfaces are <STRONG>up</STRONG>, and traffic is observed as passing on ethernet1/8 toward the Check Point firewall.</P></LI><LI><P>The issue is <STRONG>not related to routing</STRONG>, as the laptop is in the same subnet and connected directly.</P></LI></UL><H3>Suspicion:</H3><P>We suspect there may be additional, unreported configuration changes made by the client (possibly security rules or zones affecting ICMP traffic) which are impacting the expected behavior. However, we currently do not have visibility into the full policy or security rulebase applied.</P><P>&nbsp;</P><P>Has anyone encountered a similar issue where Palo Alto interfaces are up and passing traffic but do not respond to pings even with ping enabled?</P><UL><LI><P>Any suggestions on commands or logs we can check (e.g., debug, flow basic, etc.) to help isolate this issue further?</P></LI></UL><P>BR</P><P>zhd</P> Tue, 16 Sep 2025 04:06:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-ping-palo-alto-interface-connectivity-appears-one/m-p/1238029#M6294 jahidur27 2025-09-16T04:06:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-ping-palo-alto-interface-connectivity-appears-one/m-p/1238054#M6295 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/922237585">@jahidur27</a>&nbsp;,</P> <P>&nbsp;</P> <P>Is ping allowed by security policy ?</P> <P>&nbsp;</P> <P>The default security policy allows all traffic within the same zone (intrazone-default rule) but drops all traffic between different zones (interzone-default rule). Therefore, a ping from a directly connected laptop to a firewall interface should be allowed by default.</P> <P>However, this access will be blocked if you have a custom "deny all" rule placed above the default intrazone-default rule. This more restrictive posture ensures only explicitly permitted intra-zone traffic can flow, but it also renders the default rule ineffective.</P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>Kind regards,</P> <P>-Kim.</P> Tue, 16 Sep 2025 09:41:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-ping-palo-alto-interface-connectivity-appears-one/m-p/1238054#M6295 kiwi 2025-09-16T09:41:08Z https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-ping-palo-alto-interface-connectivity-appears-one/m-p/1238062#M6296 <P>we checked that we didn''t create any&nbsp;<SPAN>custom "deny all" rule placed above the default intrazone-default rule.</SPAN></P> Tue, 16 Sep 2025 11:23:21 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-ping-palo-alto-interface-connectivity-appears-one/m-p/1238062#M6296 jahidur27 2025-09-16T11:23:21Z https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-ping-palo-alto-interface-connectivity-appears-one/m-p/1238063#M6297 <P><SPAN>we checked and didn''t create any custom "deny all" rule placed above the default intrazone-default rule</SPAN></P> Tue, 16 Sep 2025 11:24:39 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unable-to-ping-palo-alto-interface-connectivity-appears-one/m-p/1238063#M6297 jahidur27 2025-09-16T11:24:39Z