topic Re: issues after deployed VM-PA under VMware in General Topics

issues after deployed VM-PA under VMware

Apadilla — Tue, 30 Aug 2016 03:00:17 GMT

Hello Community,

I'm creating a lab with vmware vsphere 5.5.

I deployed two firewall with the following network configuration in vmware.

The issue is from the firewall I can to ping to my untrust and trust interfaces. But when I doing ping to the linux pc the ping failed.

From the linux pc try to reseach to internet and the connection is failed.

In the vmware I set up the promiscuos mode is enable.

This is the PA config interfaces and policies.

Please your help to continue with my lab.

best regards

Andres

Re: issues after deployed VM-PA under VMware

TranceforLife — Tue, 30 Aug 2016 06:53:01 GMT

Hi,

Usually, you will be able to ping your own (itself) interfaces.

First thing configures a mgmt profile and attach to the interface so it will be easy to troubleshoot. See below hot to do it:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Allow-Ping-and-ICMP-on-Layer-3-Interface-of-Your-Palo/ta-p/58932

Check the interface mapping:

network adapter = BRIDGED. This is actually your management interface and you don't see it in the network TAB of the device

network adapter 2 = VMnet(X) This is actually your first interface = ethernet1/1

network adapter 3 = VMnet(X) This is actually your first interface = ethernet1/2

network adapter 4 = VMnet(X) This is actually your first interface = ethernet1/3

After this you know that Palo is going to reply for the ping. So the first step is to make sure Linux host can ping PA interface.

Check the arp table on the Linux machine to confirm you are on the same Layer 2 broadcast domain with Palo.

Check if the Palo can resolve DNS requests.

Thx,

Myky

Re: issues after deployed VM-PA under VMware

Retired Member — Tue, 30 Aug 2016 07:58:23 GMT

You have to allow ping in a interface management profile. And assign it to your interfaces

Starting from pan-os 7.0 promiscuous mode is no longer required

see here:

https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/virtualization-features/support-for-hypervisor-assigned-mac-addresses

Re: issues after deployed VM-PA under VMware

FJU-ITCS — Tue, 30 Aug 2016 07:27:36 GMT

Hi,

do you activated the setting:

Use Hypervisor Assigned MAC Addresses (VM-Series firewalls only)

Select this option to have the VM-Series firewall use the MAC address that the hypervisor assigned, instead of generating a MAC address using the PAN-OS®custom schema.

Is under Device - Setup - Management

I had this problem also, but after i activated this setting everything works.

Frank

Re: issues after deployed VM-PA under VMware

Apadilla — Tue, 30 Aug 2016 19:27:16 GMT

thanks, today I will proceeding with this changes.

Re: issues after deployed VM-PA under VMware

Apadilla — Mon, 05 Sep 2016 20:10:13 GMT

Me again.

I can to ping the untrust zone or ethernet 1/2(192.168.120.21) from the linux machine. but when I try to ping the trust zone (172.16.10.2) the linux console show the following message " Time to live exceded "

Change ip the linux pc from 192.168.120.9 to 172.16.10.20 and try to ping the untrust zone or trust zone and the result is failed.

And try to access to internet from the linux pc, and fail.

So I do not know if I'm missing some configuration in the firewall or in my vsphere.

This is the config running

admin@fw01> show config running

config {
mgt-config {
users {
admin {
phash fnRL/G5lXVMug;
permissions {
role-based {
superuser yes;
}
}
}
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet {
ethernet1/1 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
172.16.10.2;
}
lldp {
enable no;
}
interface-management-profile "mgm profile";
}
comment trust;
}
ethernet1/2 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
192.168.120.21;
}
lldp {
enable no;
}
interface-management-profile "mgm profile";
}
comment untrust;
}
}
}
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
interface-management-profile {
"mgm profile" {
https yes;
ssh yes;
ping yes;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles {
default {
encryption [ aes-128-cbc 3des];
hash sha1;
dh-group group2;
lifetime {
hours 8;
}
}
Suite-B-GCM-128 {
encryption aes-128-cbc;
hash sha256;
dh-group group19;
lifetime {
hours 8;
}
}
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
default {
esp {
encryption [ aes-128-cbc 3des];
authentication sha1;
}
dh-group group2;
lifetime {
hours 1;
}
}
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
}
qos {
profile {
default {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
routing-options {
graceful-restart {
enable yes;
}
}
}
}
interface [ ethernet1/1 ethernet1/2];
ecmp {
algorithm {
ip-modulo;
}
}
routing-table {
ip {
static-route {
default-gateway {
nexthop {
ip-address 192.168.120.1;
}
bfd {
profile None;
}
interface ethernet1/2;
metric 10;
destination 0.0.0.0/0;
}
intranet {
nexthop {
ip-address 0.0.0.0;
}
bfd {
profile None;
}
interface ethernet1/2;
metric 10;
destination 192.168.120.0/24;
}
}
}
}
}
}
}
deviceconfig {
system {
ip-address 192.168.120.20;
netmask 255.255.255.0;
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone US/Pacific;
service {
disable-telnet yes;
disable-http yes;
}
hostname fw01;
default-gateway 192.168.120.1;
dns-setting {
servers {
primary 8.8.8.8;
secondary 200.91.75.5;
}
}
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
auto-mac-detect yes;
}
}
vsys {
vsys1 {
application;
application-group;
zone {
trust {
network {
layer3 ethernet1/1;
}
}
untrust {
network {
layer3 ethernet1/2;
}
}
}
service;
service-group;
schedule;
rulebase {
security {
rules {
"allow access to internet" {
to untrust;
from trust;
source any;
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
}
"allow access" {
to trust;
from untrust;
source any;
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
}
}
}
nat {
rules;
}
default-security-rules {
rules {
intrazone-default {
action allow;
log-start no;
log-end yes;
}
}
}
}
import {
network {
interface [ ethernet1/1 ethernet1/2];
}
}
}
}
}
}
}

admin@fw01>

Re: issues after deployed VM-PA under VMware

Apadilla — Mon, 05 Sep 2016 20:24:13 GMT

I can to ping the google.com and updates.paloaltonetworks.com

Re: issues after deployed VM-PA under VMware

TranceforLife — Mon, 05 Sep 2016 20:54:13 GMT

Hi,

Changing ip on the linux box from one subnet to another will not help as you need to remap you VM interface to one that connects to the Palo. Are you free now ? Can you email to mlskrypka@gmail.com

Re: issues after deployed VM-PA under VMware

Apadilla — Tue, 06 Sep 2016 04:55:02 GMT

Hello

My email is apadillav21@gmail.com