https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514758#M106834 <P>Hello,</P> <P>Sounds like a routing/policy issues with the original PAN you deployed. I wouldnt recommend having the management interface internet facing unless you lock it down to source IP's. However you can change the services, so they use a different interface to reaching out and grabbing updates, etc.</P> <P>If you're adventurous</P> <P><A href="https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501" target="_blank">https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501</A></P> <P>it blocks almost everything so be careful.</P> <P>&nbsp;</P> <P>Regards,</P> Tue, 13 Sep 2022 20:16:09 GMT OtakarKlier 2022-09-13T20:16:09Z https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514501#M106796 <P>I am deploying a new firewall for a PoC however I am having some issues. I have deployed and activated the server on Azure, I am using VM-Series. However despite on the Azure side there being no restrictions, there server is not able to connect to the internet for updates.&nbsp;<BR />I must be missing something basic in understand/setup so any pointers would be great.</P> Sun, 11 Sep 2022 11:21:04 GMT https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514501#M106796 Nhussain 2022-09-11T11:21:04Z https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514529#M106800 <P>is the server in the same vnet and subnet as the internal interface and how have you set the default gateway of the server?&nbsp;</P> <P>most commonly the internal interface of the palo will be dhcp client and the server behind has a default gateway to x.x.x.4</P> <P>Set the palo external interface also to dhcp client and enable dynamic port/ip NAT and only assign the interface (don't set an IP)</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>see if that helps</P> Mon, 12 Sep 2022 08:01:10 GMT https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514529#M106800 reaper 2022-09-12T08:01:10Z https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514574#M106810 <P>The server is on the same virtual network as the internal interface but not the same subnet. The Internal interface has been configured with DHCP, however I have not done anything specific to define the gateway, where would this be done?&nbsp;</P> Mon, 12 Sep 2022 12:27:08 GMT https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514574#M106810 Nhussain 2022-09-12T12:27:08Z https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514625#M106813 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/231978">@Nhussain</a>,</P> <P>What are you seeing in the traffic logs? Do you see the traffic coming in from the server in question? Do you see it properly your NAT statement?&nbsp;</P> Mon, 12 Sep 2022 18:18:28 GMT https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514625#M106813 BPry 2022-09-12T18:18:28Z https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514664#M106818 <P>So Logs show traffic is allowed and the NAT is also being applied.<BR /><BR />however after all that nothing worked, so I deployed another Palo ALto instance but this time it had a public IP on the management interface. it worked,</P> <P>&nbsp;</P> <P>Added a public IP on the server I was working on and internet connectivity worked. My question is why? Azure does nat'ing for you, it should not need a public IP to get out to the internet? Does anyone know why?&nbsp;</P> Mon, 12 Sep 2022 22:03:05 GMT https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514664#M106818 Nhussain 2022-09-12T22:03:05Z https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514758#M106834 <P>Hello,</P> <P>Sounds like a routing/policy issues with the original PAN you deployed. I wouldnt recommend having the management interface internet facing unless you lock it down to source IP's. However you can change the services, so they use a different interface to reaching out and grabbing updates, etc.</P> <P>If you're adventurous</P> <P><A href="https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501" target="_blank">https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501</A></P> <P>it blocks almost everything so be careful.</P> <P>&nbsp;</P> <P>Regards,</P> Tue, 13 Sep 2022 20:16:09 GMT https://live.paloaltonetworks.com/t5/general-topics/best-guides-for-new-firewall-deployment/m-p/514758#M106834 OtakarKlier 2022-09-13T20:16:09Z