topic Re: Firewall Unable to connect to ISP Router in General Topics

Firewall Unable to connect to ISP Router

HassanThiam — Tue, 17 Jan 2023 10:43:59 GMT

I m setting up a small office network where the endpoints are connecting to a switch that is in turn trunked to a PA220 Firewall . The firewall external interface is configured with a static IP address within the same range as the ISP IP router .

However it appears that neither the ISP router or the Palo can receive arp entries off each other let alone ping each other

The ISP provider has also confirmed the internet connectivity is working fine .

Can anyone please advise ?

Thanks

Re: Firewall Unable to connect to ISP Router

Raido_Rattameister — Tue, 17 Jan 2023 13:15:50 GMT

If you configure same public IP and gateway on your laptop and connect ISP cable directly to laptop can you get to internet or see arp from ISP?

If yes we can help you troubleshoot Palo.

If not then ISP needs to check their config.

Re: Firewall Unable to connect to ISP Router

HassanThiam — Tue, 17 Jan 2023 15:00:22 GMT

Thanks for the feedback . Unfortunately at the time, I was unable to configure my laptop IP address and Gateway because of admin restrictions ( working to get elevated privileges at the moment ) . The ISP sent an engineer onsite to check internet reachability and he confirmed connectivity to the ISP default gateway by plugging a device directly into the router .What are the sort of config that could prevent the firewall from seeing the router ?

Thanks

Re: Firewall Unable to connect to ISP Router

Raido_Rattameister — Tue, 17 Jan 2023 15:37:02 GMT

ISP provides connectivity over access port right (not tagged/trunk port)?

Ask ISP if speed/duplex is set to auto/auto or if they have hardcoded those settings.

If second option you need to match your side.

Re: Firewall Unable to connect to ISP Router

HassanThiam — Tue, 17 Jan 2023 17:49:29 GMT

I will enquire with the ISP about the speed/duplex settings , I would have thought they will be set to auto

Yes the connectivity is provided through an access port . As per the attached topology the firewall connect to an Onsite router that only function in bridge mode with so layer 3 communication is between the firewall and the aggregate router .

The ISP engineer that visited the site confirmed the Internet was working by plugging a portable device into the Onsite router ( LAN 1) and could get to the ISP Aggregate Router using IP addresses within the same range .

Let me know if you have any further suggestions

Thanks in advance

Re: Firewall Unable to connect to ISP Router

HassanThiam — Thu, 19 Jan 2023 10:31:25 GMT

Good Morning ,

I can now confirm I have Internet connectivity but I have set up a VPN with an ASA that s not coming up . The outside interface of the Palo is up and can ping the ASA outside interface .

Any advice will be greatly appreciated

Thanks

Re: Firewall Unable to connect to ISP Router

TomYoung — Thu, 19 Jan 2023 12:12:35 GMT

Hi @HassanThiam ,

Do you have an interface profile applied to your interface connected to the ISP that allows pings?
1. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMmCAK
2. Otherwise pings will not be allowed, and an ARP request will not be sent.
Do you source your pings from the IP applied to the interface connected to the ISP?
1. https://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-how-to-ping-from-the-cli/ba-p/468784
2. Otherwise the pings will be sourced from the management IP address.
3. Again, no ARP request will be sent out the ISP interface.
Do you see the pings in the traffic logs (Monitor > Logs > Traffic)?
1. Pings from an interface will be allowed by the intrazone-default rule.
2. Logging will need to be enabled on the rule. https://docs.paloaltonetworks.com/best-practices/9-1/data-center-best-practices/data-center-best-practice-security-policy/log-and-monitor-data-center-traffic/log-intra-data-center-traffic-that-matches-the-intrazone-allow-rule
3. You can also enable logging on the interzone-default rule. Then you should see all IP traffic through the data plane, allowed or dropped.
4. Logs confirm the NGFW is attempting to send pings.
Have you verified the NGFW is not receiving ARP by using the "show arp" command on the CLI?
1. You should see a MAC address (received) or incomplete (not received).
2. The incomplete times out fairly quickly. The command needs to be run as soon as the ping is done.

Thanks,

Tom

Re: Firewall Unable to connect to ISP Router

HassanThiam — Fri, 20 Jan 2023 09:45:18 GMT

Hi Tom

Thanks for the feedback .

Do you have an interface profile applied to your interface connected to the ISP that allows pings?
1. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMmCAK
2. Otherwise pings will not be allowed, and an ARP request will not be sent.
3. Yes I do have an interface management profile that accept pings
Do you source your pings from the IP applied to the interface connected to the ISP?
1. https://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-how-to-ping-from-the-cli/ba-p/468784
2. Otherwise the pings will be sourced from the management IP address.
3. Again, no ARP request will be sent out the ISP interface.
4. When I source it from the Management interface it doesn't work but works from the NGFW outside interface
Do you see the pings in the traffic logs (Monitor > Logs > Traffic)?
1. Pings from an interface will be allowed by the intrazone-default rule.
2. Logging will need to be enabled on the rule. https://docs.paloaltonetworks.com/best-practices/9-1/data-center-best-practices/data-center-best-pra...
3. You can also enable logging on the interzone-default rule. Then you should see all IP traffic through the data plane, allowed or dropped.
4. Logs confirm the NGFW is attempting to send pings.
5. Yes I can see the pings from the traffic logs
Have you verified the NGFW is not receiving ARP by using the "show arp" command on the CLI?
1. You should see a MAC address (received) or incomplete (not received).
2. The incomplete times out fairly quickly. The command needs to be run as soon as the ping is done.
3. To be confirmed

As per the topology I can t get the tunnel to the ASA working although the IKE parameters seem to match . The outside interface of the Palo can ping the ASA though . From an ASA perspective I can t see nothing on the logs .

This s the message I get from the NGFW .

Any help will be greatly appreciated

Thanks

Re: Firewall Unable to connect to ISP Router

Raido_Rattameister — Fri, 20 Jan 2023 13:21:07 GMT

Crypto settings don't match.

Do you manage ASA side as well to check config?

"show vpn-sessiondb detailed l2l" is helpful to use on ASA side.

If you can't get this info then next step is to turn Palo side to passive mode and figure out what ASA is negotiating with using packet capture.

Re: Firewall Unable to connect to ISP Router

TomYoung — Fri, 20 Jan 2023 14:04:16 GMT

Hi @HassanThiam ,

I am glad the Internet is working now. If my answer helped you get the ping working, please accept it as the solution.

With regard to the VPN, we would be glad to help on this thread, but technically it is a different topic.

A good place to start with IPsec is the green lights under Network > IPSec Tunnels, and Monitor > Logs > System. As @Raido_Rattameister mentioned, NO_PROPOSAL_CHOSEN means the crypto settings do not match and the tunnel is not up.

Thanks,

Tom