https://live.paloaltonetworks.com/t5/general-topics/l3-gateway-interface-traffic-relaying/m-p/50576#M37242 <HTML><HEAD></HEAD><BODY><P>Sounds like you need a route for <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.3333330154419px;">192.168.50.0/24 on the firewall.</SPAN></P></BODY></HTML> Wed, 25 Feb 2015 13:18:41 GMT ITNetworksTeam 2015-02-25T13:18:41Z https://live.paloaltonetworks.com/t5/general-topics/l3-gateway-interface-traffic-relaying/m-p/50574#M37240 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>just want to share one thought about problem which I faced with. One of L3 interface on PAN 500 was configured as default gateway (192.168.0.1/24 sec zone "trusted") for one network. On that trusted network I have two servers, one terminal 192.168.0.10/24 and VPN 192.168.0.15/24. VPN clients with IP pool 192.168.50.0/24 are making connection's to terminal server. Response going through gateway interface 192.168.0.1, where vrouter has route 192.168.50.0/24 via 192.168.0.15/24. Problem begins in moment when terminal server had to make connection to VPN client, but it didn't. To cope with problem only solution is to add static route to terminal server <SPAN style="font-size: 13.3333330154419px;">192.168.50.0/24 via 192.168.0.15/24, and then working as well (bypassing default gateway). </SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">If considering that traffic by default were permitted within same security zone, I'm unable to understand why traffic cannot be relayed even I make explicit policy, which permits all traffic within trusted zone. </SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">From perspective of securing traffic, there is no needed any filtering, just traffic relaying within same subnet and same sec zone. Before this setup we have some simple linux firewall with ip tables, where this working, without sec rule, just routing and relaying.....</SPAN></P><P><SPAN style="font-size: 13.3333330154419px;"><BR /></SPAN></P><P><SPAN style="font-size: 13.3333330154419px;"><BR /></SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">Tician </SPAN></P></BODY></HTML> Mon, 23 Feb 2015 10:36:15 GMT https://live.paloaltonetworks.com/t5/general-topics/l3-gateway-interface-traffic-relaying/m-p/50574#M37240 Tician 2015-02-23T10:36:15Z https://live.paloaltonetworks.com/t5/general-topics/l3-gateway-interface-traffic-relaying/m-p/50575#M37241 <HTML><HEAD></HEAD><BODY><P>Hi Tician,</P><P></P><P>First of all I would recommend opening a case with tech support. There are a few things that could go wrong here so I would start with the traffic logs. If you have an explicit rule in place there should be logging for the session to verify it is allowed and the log details will confirm if packets are being sent and received. Assuming everything looks ok here try running a packet capture with filters for both directions (.10 to .15 and vice versa) and all 4 stages set. The drop stage will show if anything is being dropped out and counters may give the reason for any drops. This doc should help with setting up the filters and checking the counters. </P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1506">Packet Capture, Debug Flow-basic and Counter Commands</A></P><P></P><P>regards,</P><P>Brandon</P></BODY></HTML> Wed, 25 Feb 2015 06:03:54 GMT https://live.paloaltonetworks.com/t5/general-topics/l3-gateway-interface-traffic-relaying/m-p/50575#M37241 bfarely 2015-02-25T06:03:54Z https://live.paloaltonetworks.com/t5/general-topics/l3-gateway-interface-traffic-relaying/m-p/50576#M37242 <HTML><HEAD></HEAD><BODY><P>Sounds like you need a route for <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.3333330154419px;">192.168.50.0/24 on the firewall.</SPAN></P></BODY></HTML> Wed, 25 Feb 2015 13:18:41 GMT https://live.paloaltonetworks.com/t5/general-topics/l3-gateway-interface-traffic-relaying/m-p/50576#M37242 ITNetworksTeam 2015-02-25T13:18:41Z