https://live.paloaltonetworks.com/t5/general-topics/pa-is-connected-to-a-router/m-p/538898#M110586 <P>Hi PA(non-management interface) is connected to a router via a cable .&nbsp; What is minimus condition for the two device to ping each other?</P> <P>1. ip address in interface are in same subnet,</P> <P>2.&nbsp; interface associated with management profile to allow ping&nbsp;</P> <P>3. interface type is L3</P> <P>&nbsp;</P> <P>Any else?&nbsp;</P> <P>&nbsp;</P> <P>The reason why i ask the question is the two device cannot see each other via arp. is this physical connection issue?&nbsp;</P> <P>Thanks</P> Sun, 16 Apr 2023 04:33:46 GMT DavidyPalo 2023-04-16T04:33:46Z https://live.paloaltonetworks.com/t5/general-topics/pa-is-connected-to-a-router/m-p/538898#M110586 <P>Hi PA(non-management interface) is connected to a router via a cable .&nbsp; What is minimus condition for the two device to ping each other?</P> <P>1. ip address in interface are in same subnet,</P> <P>2.&nbsp; interface associated with management profile to allow ping&nbsp;</P> <P>3. interface type is L3</P> <P>&nbsp;</P> <P>Any else?&nbsp;</P> <P>&nbsp;</P> <P>The reason why i ask the question is the two device cannot see each other via arp. is this physical connection issue?&nbsp;</P> <P>Thanks</P> Sun, 16 Apr 2023 04:33:46 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-is-connected-to-a-router/m-p/538898#M110586 DavidyPalo 2023-04-16T04:33:46Z https://live.paloaltonetworks.com/t5/general-topics/pa-is-connected-to-a-router/m-p/538902#M110587 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/203590">@DavidyPalo</a> ,</P> <P>&nbsp;</P> <P>There are a couple more minimal conditions I would add.</P> <P>&nbsp;</P> <OL> <LI>Make sure you source your ping from the desired interface.&nbsp; If you do not specify the source option, pings are sourced from the management interface.</LI> <LI>You always need a security policy rule for any traffic to go to or through the NGFW.&nbsp; In your case, the intrazone-default rule will allow the traffic.</LI> <LI>The router should not ave any ACLs applied to it also.</LI> </OL> <P>Then the "show arp" command on the CLI should show a MAC address for the router.&nbsp; If not, you do not have layer 2 connectivity between the NGFW and router.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Sun, 16 Apr 2023 09:13:50 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-is-connected-to-a-router/m-p/538902#M110587 TomYoung 2023-04-16T09:13:50Z https://live.paloaltonetworks.com/t5/general-topics/pa-is-connected-to-a-router/m-p/538912#M110589 <P>Great!</P> <P>After security policy is added, the ping can work. but after removing the security policy, the ping still can work. why it happen like that?&nbsp;</P> <P>&nbsp;</P> Sun, 16 Apr 2023 15:20:03 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-is-connected-to-a-router/m-p/538912#M110589 DavidyPalo 2023-04-16T15:20:03Z https://live.paloaltonetworks.com/t5/general-topics/pa-is-connected-to-a-router/m-p/538913#M110590 <P>Under "Device &gt; Config Audit" at the bottom there are droppdowns where you can choose different configs to compare.<BR />Running config - currently active config<BR />Candidate config - new changed config that has not been committed yet<BR />"Go" button will initiate compare task.</P> Sun, 16 Apr 2023 15:24:03 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-is-connected-to-a-router/m-p/538913#M110590 Raido_Rattameister 2023-04-16T15:24:03Z