https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445497#M100478 <P>Hi,</P><P>&nbsp;I hope any one tell me how this ping -a works.</P><P>is it working by querring the name "from the DNS" so I need to have access to the DNS which is already provided.</P><P>is it using the netbios name? how to enable this app in the security rules?</P><P>"by the way, just now I found the ping -a is working to other zone"</P> Thu, 04 Nov 2021 15:11:56 GMT MRamadanAHafiez 2021-11-04T15:11:56Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445019#M100418 <P>Hello Bro,</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;In our network we used to be in the same vlan of our employees endpoint and we used to use the command ping -a x.x.x.x</P><P>to resolve the name of the pinged IP.</P><P>after we have moved our PCs "admins" to a different zone, now we can't use this command anymore, the ping is working but the paramenter -a is not getting any names.</P><P>knowing that we have a full access to the dns still.</P><P>I belive this is firewall matter and as I read ping -a uses some layer 2 staff.</P><P>things are not clear, so how to have ping -a getting the names with the command output again?</P><P>TIA</P> Tue, 02 Nov 2021 17:07:07 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445019#M100418 MRamadanAHafiez 2021-11-02T17:07:07Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445097#M100423 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159497">@MRamadanAHafiez</a>,</P> <P>This option works perfectly fine through security zones on my firewall without any issues. If this only started happening after you moved these machines into a new security zone, try enabling logging on your interzone-default to ensure your capturing denied traffic and see if anything is getting blocked due to not being included in your rulebase.</P> Tue, 02 Nov 2021 23:50:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445097#M100423 BPry 2021-11-02T23:50:32Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445127#M100431 <P>Thank you <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;so much for the reply.</P><P>We are not blocked from anything from our new zone, and the monitor logs says nothing denied.</P><P>I will double check but if you tell me how ping-a works that may help me resolving it.</P><P>Any ideas appreciated.</P> Wed, 03 Nov 2021 04:52:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445127#M100431 MRamadanAHafiez 2021-11-03T04:52:25Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445128#M100432 <P>Was the name resolution working via DNS or Netbios? It’s possible it was Netbios and reason it worked prior to the move.&nbsp;</P> Wed, 03 Nov 2021 05:24:17 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445128#M100432 aortiz 2021-11-03T05:24:17Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445142#M100436 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/195251">@aortiz</a>&nbsp;name resolution working via dns no problem after and before zones separation, this is for dns.</P><P>But after changing to the new zone ping -a x.x.x.x&nbsp; Not working "was working before Changing zone".</P> Wed, 03 Nov 2021 06:54:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445142#M100436 MRamadanAHafiez 2021-11-03T06:54:39Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445396#M100462 <P>If it worked via DNS and your DNS traffic is not being blocked, then it should still work. I suspect the name resolution was working via Netbios which uses broadcast destination address and most likely not being forwarded across. You can test ping -a from new zone to verify it still works on same broadcast domain and play with nslookups to test DNS.&nbsp;</P> Wed, 03 Nov 2021 23:46:11 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445396#M100462 aortiz 2021-11-03T23:46:11Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445401#M100463 <P>Hi, 1. can you check interface setting and its zone protection configuration. It may be possible ping is blocked on interface level.</P><P>&nbsp;</P><P>2. can you check output of tracert and check where it gets dropped . It will give you idea about the hop which comes in between source and destination. You can check all devices if you are sure that PA configuration is fine.</P><P>&nbsp;</P><P>2. Is ping not working for specific subnet or whole network</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 04 Nov 2021 00:39:06 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445401#M100463 Dalidali 2021-11-04T00:39:06Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445473#M100473 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159497">@MRamadanAHafiez</a>,</P> <P>Offhand I don't know how ping -a functions in the background and whether it uses netbios or DNS for the name resolution. The only thing that I can tell you for sure is that I can do it successfully across security zones without any issues. This is the first time that I've actually even heard of ping -a, and it's not extremely useful personally, but it's perfectly functional across L3 security zones without any issue.&nbsp;</P> Thu, 04 Nov 2021 13:38:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445473#M100473 BPry 2021-11-04T13:38:58Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445497#M100478 <P>Hi,</P><P>&nbsp;I hope any one tell me how this ping -a works.</P><P>is it working by querring the name "from the DNS" so I need to have access to the DNS which is already provided.</P><P>is it using the netbios name? how to enable this app in the security rules?</P><P>"by the way, just now I found the ping -a is working to other zone"</P> Thu, 04 Nov 2021 15:11:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445497#M100478 MRamadanAHafiez 2021-11-04T15:11:56Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445984#M100524 <P>Hello Bro,</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; After using the packet capture, I have discovered that the commanf ping -a x.x.x.x uses the LLMNR "Linl-Layer Multicast name resolution", Kindly anyone correct me or tell me how to allow this kind of multicast app " abit risky app, but i need to POC it"</P> Sat, 06 Nov 2021 20:49:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/445984#M100524 MRamadanAHafiez 2021-11-06T20:49:56Z https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/446846#M100633 <P>Use of LLMNR is not recommended. I suggest you use DNS for name resolution.&nbsp;</P> Wed, 10 Nov 2021 23:43:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-a-not-resolving-name-anymore/m-p/446846#M100633 aortiz 2021-11-10T23:43:05Z