topic Re: Default Gateway from the Palo Alto Firewall is not reachable in General Topics

Default Gateway from the Palo Alto Firewall is not reachable

ParvezAhmad — Sat, 04 Jan 2014 15:49:07 GMT

Hello,

I have configured inside, outside and DMZ on the Palo Alto firewall. The outside interface is configured for Global Protect.

The default gateway of Palo Alto firewall is not reachable. But when we connect to that cable to ASA firewall we are able to ping gateway.

Please help us to troubleshooting the issue.

Regards,

Parvez

Re: Default Gateway from the Palo Alto Firewall is not reachable

Retired Member — Sat, 04 Jan 2014 15:56:45 GMT

Hi,

How do you test to reach default gateway ?

you mean ping source OUTSIDE host DGW ?

Re: Default Gateway from the Palo Alto Firewall is not reachable

Retired Member — Sat, 04 Jan 2014 16:09:20 GMT

Trigger a Gratuitous ARP (GARP) from a Palo Alto Networks Device

Re: Default Gateway from the Palo Alto Firewall is not reachable

ericgearhart — Sat, 04 Jan 2014 16:15:56 GMT

ParvezAhmad are you specifying the source of your pings as being the OUTSIDE interface of your PA that is facing your default gateway when you're doing your tests?

Example:

ping source 216.5.4.3 host 216.5.4.1

Also are you sure the PA firewall isn't blocking the pings? Do you have a policy rule defined that says "allow outside to outside" with App-ID ping?

Also as was previously mentioned if the PA has the same IP as the ASA you're testing with, it makes sense to force a gratuitous ARP to make sure the ARP cache on your default gateway device updates with the PA MAC address instead of the ASA MAC address.

Re: Default Gateway from the Palo Alto Firewall is not reachable

ParvezAhmad — Sat, 04 Jan 2014 16:39:48 GMT

Hi,

I tested by using ping host xxx.ccc.xxx.zzzz.

I am doing migration from ASA firewall to Palo Alto firewall. I am using the same cable to connect to Palo Alto outside interface E1/1.

Re: Default Gateway from the Palo Alto Firewall is not reachable

ericgearhart — Sat, 04 Jan 2014 16:41:33 GMT

Parvez do

ping source <your outside interface IP on your Palo Alto> host xxx.ccc.xxx.zzz

Re: Default Gateway from the Palo Alto Firewall is not reachable

ParvezAhmad — Sat, 04 Jan 2014 16:45:40 GMT

I believe after 180 seconds. It should remove automatically.

Or Do we remove it by Clear ip arp?

Re: Default Gateway from the Palo Alto Firewall is not reachable

ParvezAhmad — Sat, 04 Jan 2014 16:48:44 GMT

Firewall is not blocking the pings. Since there is policy as you mentioned.

Do you think that Global Protect Configuration can block this ping?

Re: Default Gateway from the Palo Alto Firewall is not reachable

Retired Member — Sat, 04 Jan 2014 16:49:58 GMT

if you don't type source FW uses management interface for the ping command

Re: Default Gateway from the Palo Alto Firewall is not reachable

ericgearhart — Sat, 04 Jan 2014 16:51:24 GMT

Parvez: yes the ARP cache will eventually time out

Can you please try "ping source <your outside interface IP on your Palo Alto> host xxx.ccc.xxx.zzz" and let us know your results?

Re: Default Gateway from the Palo Alto Firewall is not reachable

ericgearhart — Sat, 04 Jan 2014 16:53:58 GMT

Right, what panos said is true, that's why I'm asking for the source parameter to be added to your ping command ParvezAhmad

Re: Default Gateway from the Palo Alto Firewall is not reachable

skrall — Sun, 05 Jan 2014 02:23:32 GMT

What egearhart says is true. If you "ping host www.yahoo.com" , the default interface chosen is the management interface. If your WAN interface has an IP of 64.64.64.64, use this syntax, ping source 64.64.64.64 host <IP_ADDR_Nexthop_Rtr>. Then check the arp cache on the ethernet port that corresponds to 64.64.64.64. If you do not see an entry for your ISP next hop then they have probably done a static entry for your IP and MAC in the switch. I have no idea why they do this but it is fairly common in the USA.

SKrall