topic Re: Palo Alto Intergrade with ACI- Cannot see hop firewall on tranceroute in General Topics https://live.paloaltonetworks.com/t5/general-topics/palo-alto-intergrade-with-aci-cannot-see-hop-firewall-on/m-p/593471#M118113 <P>To be able to see the firewall in traceroute or ping, you need to set an interface management profile on both interfaces with 'ping' enabled</P> <P>Next a rule needs to allow your hosts to communicate with the firewall interfaces (depends on how strictly you set your rulebase)</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_0-1722328789221.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61221iEE2857075F1989CF/image-size/medium?v=v2&amp;px=400" role="button" title="reaper_0-1722328789221.png" alt="reaper_0-1722328789221.png" /></span></P> <P>&nbsp;</P> Tue, 30 Jul 2024 08:40:12 GMT reaper 2024-07-30T08:40:12Z Palo Alto Intergrade with ACI- Cannot see hop firewall on tranceroute https://live.paloaltonetworks.com/t5/general-topics/palo-alto-intergrade-with-aci-cannot-see-hop-firewall-on/m-p/593299#M118082 <P>I Integrade Firewall Palo Alto with ACI One Arm , <SPAN class="HwtZe"><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">virtual system divided into 2 for North South and East West</SPAN></SPAN></SPAN></P> <P>On Firewall config Subinterface Layer3 ( Vlan Tag) set IP and config default route to Gateway one ACI. (reference guide)</P> <P><A href="https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-a-firewall-in-cisco-aci/integrate-the-firewall-with-cisco-aci-in-network-policy-mode/deploy-a-north-south-firewall-in-unmanaged-mode-in-cisco-aci" target="_blank">https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-a-firewall-in-cisco-aci/integrate-the-firewall-with-cisco-aci-in-network-policy-mode/deploy-a-north-south-firewall-in-unmanaged-mode-in-cisco-aci</A></P> <P><SPAN class="HwtZe"><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">Traffic from ACI will use PBR to route through Palo Alto, and Palo Alto will return back to ACI using the default route</SPAN></SPAN></SPAN></P> <P>But when I check tracert between 2 host on traceroute table with traffic throught firewall, I can see all host <SPAN class="HwtZe"><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">except the Firewall host</SPAN></SPAN></SPAN>.</P> <P><SPAN class="HwtZe"><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">On the firewall I tried opening the policy allow any any, turning off Zone Protection, turning off Packet Buffer Protection but still can't see the firewall hop in the traceroute message. ping between 2 hosts works fine,</SPAN></SPAN></SPAN></P> <P><SPAN class="HwtZe"><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">When I capture firewall, on TX i see firewall sent icmp ttl exeeded to client but destination MAC is </SPAN></SPAN></SPAN><STRONG>00:0c:0c:0c:0c:0c (anycast MAC of ACI) </STRONG>not MAC Address Of client in ARP table</P> <P><SPAN class="HwtZe"><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">Except for TTL Exceeded all other messages sent to the client are sent to the correct MAC address seen in the ARP</SPAN></SPAN></SPAN>.</P> <P><SPAN class="HwtZe"><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">also.</SPAN></SPAN> <SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">when i test ping traceroute from host to firewall, ping and tracert are ok and with this traceroute i can see the host of firewall</SPAN></SPAN></SPAN></P> <P><SPAN class="HwtZe"><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">Has anyone ever deployed Palo Alto firewall with ACI and tested tracert with packets passing through the firewall?</SPAN></SPAN> <SPAN class="jCAhz"><SPAN class="ryNqvb">Looking forward to sharing experiences.</SPAN></SPAN></SPAN></P> <P><SPAN class="HwtZe"><SPAN class="jCAhz">Many tks</SPAN></SPAN></P> <P>&nbsp;</P> Mon, 29 Jul 2024 11:14:59 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-intergrade-with-aci-cannot-see-hop-firewall-on/m-p/593299#M118082 LeNgocTan 2024-07-29T11:14:59Z Re: Palo Alto Intergrade with ACI- Cannot see hop firewall on tranceroute https://live.paloaltonetworks.com/t5/general-topics/palo-alto-intergrade-with-aci-cannot-see-hop-firewall-on/m-p/593471#M118113 <P>To be able to see the firewall in traceroute or ping, you need to set an interface management profile on both interfaces with 'ping' enabled</P> <P>Next a rule needs to allow your hosts to communicate with the firewall interfaces (depends on how strictly you set your rulebase)</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_0-1722328789221.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61221iEE2857075F1989CF/image-size/medium?v=v2&amp;px=400" role="button" title="reaper_0-1722328789221.png" alt="reaper_0-1722328789221.png" /></span></P> <P>&nbsp;</P> Tue, 30 Jul 2024 08:40:12 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-intergrade-with-aci-cannot-see-hop-firewall-on/m-p/593471#M118113 reaper 2024-07-30T08:40:12Z