palo alto networks configuration

RCHAIBI — Sun, 04 Oct 2015 23:46:48 GMT

hello,

I configured a PA-500 with routing mode in our company . I set the zone , the security rules , the nat rules . I allow all traffic from trust zone to untrust zone. But the problem there is no internet connection. We use a DNS server , that is in trust zone.

I add a security role from untrust zone to a trust zone (with addressof DNS server) but the problem always we don't hav the internet connection in the office . I process all the steps of the administraion guide of PAN in my configuration but always i have the same issue!

Any one can help me pleaseto resolve this problem

Re: palo alto networks configuration

reaper — Mon, 05 Oct 2015 07:43:43 GMT

Here's a couple of things you can check to make sure everything is set up properly

from the CLI, check if you can see all relevant mac addresses:

> show arp all

verify if your routing is configured properly (you'll need a default gateway)

>show routing route

make sure all interfaces have been configured with the proper IP/subnet

>show interface all

make sure all hosts can be reached on the connected interface:

>ping source <trust_interface_IP> host <internal_client_IP>

>ping source <untrust_interface_IP> host <internet_router_IP>

see if you can reach the internet from the untrust interface:

>ping source <untrust_interface_IP> host 4.2.2.2

and lastly from the trust interface:

>ping source <trust_interface_IP> host 4.2.2.2

you can start a session from a host in the trust zone and then check the sessions being created

> show session all

it should look something like this:

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
24795        ping           ACTIVE  FLOW  NS   192.168.0.21[512]/trust/1  (198.51.100.230[512])
vsys1                                          4.2.2.2[33024]/untrust  (4.2.2.2[33024])
24796        ping           ACTIVE  FLOW  NS   192.168.0.21[512]/trust/1  (198.51.100.230[512])
vsys1                                          4.2.2.2[33280]/untrust  (4.2.2.2[33280])

then verify a session's parameters

>show session id <id#>

Session           24795

        c2s flow:
                source:      192.168.0.21 [trust]
                dst:         4.2.2.2
                proto:       1
                sport:       512             dport:      33024
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source:      4.2.2.2 [untrust]
                dst:         198.51.100.230
                proto:       1
                sport:       33024           dport:      512
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                           : Mon Oct  5 09:38:48 2015
        timeout                              : 6 sec

Please note the difference between the c2s and s2c flows

You'll see that c2s has source ip 192.168.0.21, which is my internal IP, where the s2c flow has destination 198.51.100.230, which is my NAT address, this will show you if NAT is being applied properly

hope this helps you get started, please let us know if this helps

Tom

topic Re: palo alto networks configuration in General Topics

palo alto networks configuration

Re: palo alto networks configuration