topic Re: Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall in General Topics

Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

gabriel.simatupang — Mon, 26 Oct 2015 04:35:36 GMT

Dear All,

I'm doing POC at customer who use Checkpoint as Internet Firewall. So i deploy Palo Alto behind Checkpoint firewall in vwire mode. After We configure and install policy everything running well and to minimize the risk we configure permit all any any in the bottom of security policy. At the end of the PoC we try to disable the Permit all rule, but traffic not passing throught. Is there is any port or application or something i need to allow from palo alto? or there is spesific port from checkpoint i need to allow?

My rule style is like this:

- permit spesific plus security profile

- permit General plus security profile

- permit any any

Topology: Router----Checkpoint----Paloalto-----Switch

Re: Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

mvidic — Mon, 26 Oct 2015 07:02:23 GMT

Hi,

What does the traffic log say? Do you see the sessions? Are they allowed or denied?

Re: Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

reaper — Mon, 26 Oct 2015 08:25:58 GMT

Hi Gabriel

if you switch the permit any rule to a block any rule, you should see what is being blocked exactly. This can help you pinpoint any service that may need to pass though.

Can you verify in the traffic logs that the source and destination zones are correct? A common issue with vwire configuration is that trust and untrust get switched by accidentally switching the cables. If you then disable the any rule traffic will start getting blocked as it is flowing in the "wrong" direction.

hope this helps

Tom

Re: Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

Satish — Mon, 26 Oct 2015 11:46:03 GMT

Hi Gabriel,

Please check all licenses are activated or not. if yes than check the your network configuration.

Regards

Satish

Re: Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

pulukas — Mon, 26 Oct 2015 22:58:32 GMT

Check the logs for the original permit rule and you will see what traffic is hitting this even before you turn it off or to block.

Re: Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

gabriel.simatupang — Wed, 28 Oct 2015 10:14:30 GMT

Because when i disable permit any any rule.. there is no log about that. I will try to make deny any any rule before i disable permit any any rule so i can get the log about that. Once more i wanna ask, do i need to permit rule from untrust to trust for spesific application or port like http/web browsing or https/sll, or something like that?

Re: Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

Raido_Rattameister — Wed, 28 Oct 2015 11:58:31 GMT

You can override last default inter zone rule and enable logging traffic that matches that rule.

Re: Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

pulukas — Wed, 28 Oct 2015 22:38:46 GMT

Gabriel,

Rules are only needed in the zone direction for which the traffic is initiated at the tcp level. You do not need a matching reverse direction rule as the firewall is "stateful" and aware of the session traffic.

So web browsing (http/https) from trust to untrust only needs a permit rule from trust to untrust. You do not need an untrust to trust rule for this to work.

Re: Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

K.Kreilos — Fri, 13 Mar 2026 11:15:42 GMT

I know this one is very old but the provided solution was not working for me. I experienced the issue that i've configured the virtual wire like described on documentation and traffic forwarding and DHCP was not working. In my environment I use ESXI 7.0 Update 3. Palo Alto VM 11.2.10h3 as edge FW and 12.1.5 as virtual wire. Client behind didn't get any IP and saw no ARPs. The problem was on the ESXI virtual switch. The solution was:

Create two Port Groups (e.g., vWire-Outside and vWire-Inside) on your VSwitch.
Crucial: On both Port Groups, set Promiscuous Mode, MAC Address Changes, and Forged Transmits to Accept.
Add two network adapters to the Palo Alto VM: one for each port group

Re: Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

kiwi — Fri, 13 Mar 2026 13:19:18 GMT

Hi @K.Kreilos ,

Thank for sharing this!

This is a perfect reminder for anyone running a lab or a virtual edge on 11.2 or 12.1.

Thanks again for taking the time to post the specific fix!