topic Re: A connection issue between PA and SW in General Topics

A connection issue between PA and SW

DavidyPalo — Sun, 19 Dec 2021 17:31:56 GMT

Hi, PA port e1/2 is connected to switch port f1/5(L3). Both devices can see each other's ip and mac address. The Virtual router and Security zone and Magagement profile Ping are configured. but both devices cannot ping each other. Did I miss some step? Thank you

Re: A connection issue between PA and SW

PavelK — Sun, 19 Dec 2021 21:03:11 GMT

Thank you for post @DavidyPalo

By default Firewall is using management interface for ping. If you want to verify reachability of data plane interface you can change source: ping source <int 1/2 ip address> host <destination ip>

Kind Regards

Pavel

Re: A connection issue between PA and SW

DavidyPalo — Sun, 19 Dec 2021 23:21:37 GMT

Thank you for your reply! Now PA can ping SW, but the SW cannot ping PA. Maybe its default router configuration issue?

PA e1/2 10.200.255.1/24 ------------f1/5 SW 10.200.255.2/24

Below is virtual router vRTR-INET-Core:

Re: A connection issue between PA and SW

PavelK — Sun, 19 Dec 2021 23:49:18 GMT

Thank you for reply @DavidyPalo

Since you can ping Switch from Firewall and it is directly connected link, there should be no issue with routing. Have you checked Firewall's Traffic log to confirm ICMP arrives Firewall? Unless you have custom rule, this should hit by default: intrazone-default rule. Make sure that logging is enabled under: Actions > Log Setting > Log at session end, otherwise you will not see any logs hitting this rule.

Note: I can see that you have not configured Interface for static route. It is not mandatory if you have next hop, however if you want to make sure that next hop is reachable over certain interface you can hardcode it.

Kind Regards

Pavel

Re: A connection issue between PA and SW

DavidyPalo — Mon, 20 Dec 2021 02:36:25 GMT

Hi PaveIK, where to enable Traffic Log?

under: Actions > Log Setting > Log , it cannot be found.

Re: A connection issue between PA and SW

PavelK — Mon, 20 Dec 2021 03:19:40 GMT

Thank you for reply @DavidyPalo

it is under security rule:

Kind Regards

Pavel

Re: A connection issue between PA and SW

DavidyPalo — Mon, 20 Dec 2021 04:14:52 GMT

Why my PA show read-only? I did not setup Panorama

Re: A connection issue between PA and SW

PavelK — Mon, 20 Dec 2021 04:21:09 GMT

Hello @DavidyPalo

could you click on green gear icon and press override?

then you will be able to edit and commit the change.

Kind Regards

Pavel

Re: A connection issue between PA and SW

MP18 — Mon, 20 Dec 2021 05:04:28 GMT

@DavidyPalo

Make sure Ping is allowed to PA interface under Network and Interface MGMT.

Regards

Re: A connection issue between PA and SW

PavelK — Mon, 20 Dec 2021 21:27:53 GMT

Thank you for feedback @DavidyPalo

I am sorry, I would like to confirm one point. In your first post you mentioned: "The Virtual router and Security zone and Management profile Ping are configured." Since you mentioned it ping is working after creating new management profile, does it mean ping was not allowed in your previous management profile or it was not applied to interface from the beginning?

Regarding overriding, the intrazone-default rule, could you please click on in intrazone-default and navigate to the bottom of the page and click on overrride button?

Thank you and Regards

Pavel

Re: A connection issue between PA and SW

DavidyPalo — Tue, 21 Dec 2021 20:01:19 GMT

Thank you!!