Need assistance with PA-445: general setup/VR

NoRaindropsInTheSky — Fri, 06 Dec 2024 05:56:31 GMT

Hello Everyone, I need a little assistance

I am new to Palo Altos...I have just received and trying to set up an PA-445...but I ran into the following issues:

- no incoming traffic hitting on anything (outbound traffic is OK: computers plugged into PA-445 on other ports can reach Internet)

- I would like inside computer 192.168.0.57 to have traffic routed to it.

I have attached a diagram of the network setup. Port eth1/1 is connected to the Internet (port on the ISP Switch/Modem), with a configuration of Layer3, Outside Zone, 10.1.10.25/32 IPv4

All other ports are configured as Layer2, with one vlan attached to all (called 'VLAN'). I made a zone called 'Inside', and vlan is part of it. This is also Layer3. vlan makes its subnet 192.168.0.1/24,

My Virtual Router has one router, and includes interfaces: eth1/1 + vlan

The routing table for Virtual Router is Dest: 0.0.0.0/0, hop is 10.1.10.1/32, on eth1/1

My Security Policy looks like this:

1. From Outside (any), to Inside (any) - allow (no hits)

2. From Inside (any) to Outside (any) - allow (works great!)

NAT policy:

1. From Inside to Outside (any any any any), Source Translation: dynamic IP - 10.1.10.252/32, Dest. Translation : None

2. From Outside to Outside (any any any any), Source Translation: None, Dest. Translation: Dynamic IP, 192.168.0.57/32

The computer 192.168.0.57 can access the Internet...but absolutely no traffic is making it in (the Security Policy has 0 hits).

Any advice what am I doing wrong ? I have attached diagram.

Thank you!

Re: Need assistance with PA-445: general setup/VR

TomYoung — Fri, 06 Dec 2024 12:03:25 GMT

Hi @NoRaindropsInTheSky ,

The cool thing about this document https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping is that is has example security and NAT policy rules on the bottom. Follow those examples and your inbound traffic will work fine. Pay close attention to the zones used, the correct configuration may not be intuitive at first.

With regard to your traffic logs, traffic that does not match a security policy rule will hit the interzone-default rule. This rule does not log by default. You will need to highlight the rule, click the Override button on the bottom, configure logging, and commit your changes. Then you will see the dropped traffic in the logs.

Since you have a NGFW and a CSP (Customer Support Portal) account, you can also log into Beacon. https://beacon.paloaltonetworks.com. From there, search "firewall essentials". You will see the free 9.1 training. The PAN-OS is old, but the foundational configuration is the same. It is very good.

If you don't like the older audio/video type training, you can search for "next generation firewall". You will see training of the same name in the new interactive HTML format. Both free training have lots of good material.

If you have any question as to why, feel free to ask.

Thanks,

Tom

topic Re: Need assistance with PA-445: general setup/VR in General Topics

Need assistance with PA-445: general setup/VR

Re: Need assistance with PA-445: general setup/VR