https://live.paloaltonetworks.com/t5/general-topics/pa3250-in-no-rules-allow-all-mode-and-public-ips/m-p/482191#M104255 <P>Thank you for the post&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217299">@jpierce</a></P><P>&nbsp;</P><P>to answer your question for policies, the answer is no. For OSPF as well as BGP traffic, it should hit "intrazone-default" policy with the exception of BGP peer that is using update source address assigned to different zone, then this traffic might get blocked.</P><P>&nbsp;</P><P>Regarding the issue with lost routes without further details, it is hard to give any advice, however as a next step, I would check whether your routing protocol adjacency/neighbor neighborship is established, check routing/forwarding table and system log.</P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel</P> Sun, 24 Apr 2022 22:16:23 GMT PavelK 2022-04-24T22:16:23Z https://live.paloaltonetworks.com/t5/general-topics/pa3250-in-no-rules-allow-all-mode-and-public-ips/m-p/482155#M104249 <P>We are currently testing out/learning with a new 3250 in no rules / allow all traffic mode flowing from ISP &gt; Palo &gt; Cisco ASA (Being Retired).</P><P>&nbsp;</P><P>We have two public ips routed to two local static IPs and those have stopped working. Would a policy need to be created so the Palo does the routing and not the Cisco.</P> Sat, 23 Apr 2022 18:04:18 GMT https://live.paloaltonetworks.com/t5/general-topics/pa3250-in-no-rules-allow-all-mode-and-public-ips/m-p/482155#M104249 jpierce 2022-04-23T18:04:18Z https://live.paloaltonetworks.com/t5/general-topics/pa3250-in-no-rules-allow-all-mode-and-public-ips/m-p/482191#M104255 <P>Thank you for the post&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217299">@jpierce</a></P><P>&nbsp;</P><P>to answer your question for policies, the answer is no. For OSPF as well as BGP traffic, it should hit "intrazone-default" policy with the exception of BGP peer that is using update source address assigned to different zone, then this traffic might get blocked.</P><P>&nbsp;</P><P>Regarding the issue with lost routes without further details, it is hard to give any advice, however as a next step, I would check whether your routing protocol adjacency/neighbor neighborship is established, check routing/forwarding table and system log.</P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel</P> Sun, 24 Apr 2022 22:16:23 GMT https://live.paloaltonetworks.com/t5/general-topics/pa3250-in-no-rules-allow-all-mode-and-public-ips/m-p/482191#M104255 PavelK 2022-04-24T22:16:23Z https://live.paloaltonetworks.com/t5/general-topics/pa3250-in-no-rules-allow-all-mode-and-public-ips/m-p/482332#M104276 <P>Hello,</P><P>It sounds like you are attempting to put the Palo Alto inline in a 'virtual wire' mode. This way you can see all the traffic and possibly apply policies to this. Let us know how you plan to perform a stepped approach and we can provide guidance.</P><P>&nbsp;</P><P>The way I usually do this is configure the PAN with all the layer 3/4 policies in the ASA and swap them out during a maintenance window. Then put in the layer 7 policies above the layer 3/4 ones and ones the 3/4 ones no longer get any hits, I disable them.</P><P>&nbsp;</P><P>Regards,</P> Mon, 25 Apr 2022 14:57:17 GMT https://live.paloaltonetworks.com/t5/general-topics/pa3250-in-no-rules-allow-all-mode-and-public-ips/m-p/482332#M104276 OtakarKlier 2022-04-25T14:57:17Z