topic Re: interface to interface connevtivity not working in General Topics

interface to interface connevtivity not working

bwfreas — Wed, 05 Apr 2017 16:52:39 GMT

hello - apologies in advance but im a newbie on Palo Altos - come from working on Check Points and Junipers and am now here tasked to set up a palo alto. I've got my network working to where all the vlans hanging off of the PAN can ping it and it can ping them however anything from interface to interface (vlan to vlan) isnt working. I've got an any/any/any allow rule on the palo alto right now for the moment but am i missing a setting or a configuration item to make the PAN aware of the other networks? I didnt think i needed a route if everything was directly connected?

thanks in advance

Re: interface to interface connevtivity not working

TranceforLife — Wed, 05 Apr 2017 18:26:55 GMT

Heys,

l guess you got all your subinterfaces in the different zones. How do you have your security policies configured? Do you allow the traffic between the VLANs? Can you post a screen shot of the policies? And yes if all subinterfaces (networks) terminates on palo no need routing as it is directly connected networks:

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-Subinterfaces/ta-p/67395

Re: interface to interface connevtivity not working

bwfreas — Wed, 05 Apr 2017 20:31:37 GMT

hello! they are about 5 interfaces configured and yes all different zones. right now i just have 1 security rule installed for testing purposes that allows any source to any destination and any port accept.....so i didnt think i had a security policy issue? unless im not understanding the way to do PAFW policies exactly correct? i can post a screenshot but ive since left the office will have to do when i return.

so im not starting to think/wonder that its not a routing issue as i figured it wasnt but maybe i dont have the right rules in place?

Re: interface to interface connevtivity not working

TranceforLife — Wed, 05 Apr 2017 20:51:52 GMT

Ok if the FW is doing a routing for these VLANs (subinterfaces) we should see the session created by palo (we should see anyway even :0) and the traffic logs for these sessions. What pan-os are you on? Is it hardware or VM appliance? Just in case you can override the default policy to "allow" and log session in the start&end and initiate any traffic between the VLANs and then check the logs:

I am pretty sure answer is there

Re: interface to interface connevtivity not working

bwfreas — Wed, 05 Apr 2017 23:01:02 GMT

thank you for the help so far it is greatly appreciated! these are hadrware appliances 3020's in a cluster - i have to get the OS version tomorrow can you tell me what timezone you are in so I can have an idea how far apart we are?

can you tell me how to do a tcpdump on the PAFW?

also - the logs...for some reason i am not seeing any traffic logs appearing? it looks liek there were logs from several weeks ago but nothing since...so i was trying to determine if this traffic was reaching the PAFW first.

Re: interface to interface connevtivity not working

TranceforLife — Wed, 05 Apr 2017 23:14:35 GMT

Hi,

PCAP here. Check the GUI option as it is easier than using cli. UK GMT time zone. Ok, let's do a step back then. Fist attach a mgmt profile with "ping" option ticked to every subinterface and confirm you can reach all of them from the client side (from the every VLAN) and after we will go from there.

Re: interface to interface connevtivity not working

bwfreas — Thu, 06 Apr 2017 05:58:52 GMT

perfect - I am on UK as well at the moment

i can confirm i have a mgmt profile with ping enabled on each interface and i can ping a device on each interface from the PAFW itself but I cannot ping from one device on one interface to another device behind another interface

i will try the PCAP here this morning and will look at your other suggestion for the rule override.

Re: interface to interface connevtivity not working

bwfreas — Thu, 06 Apr 2017 09:36:41 GMT

hello! good news i think i was able to resolve this particular issue - its a result of my lack of experience with palo alto rules - looks like i had an intrazone-default rule but i needed an interzone-default rule as well. once i created that i have connectivity across the interfaces.

thank you

Re: interface to interface connevtivity not working

bwfreas — Thu, 06 Apr 2017 08:24:31 GMT

i do also have a bit of a more serious question regarding the configuration of a NAT rule and how to do all that is involved with that

Re: interface to interface connevtivity not working

reaper — Thu, 06 Apr 2017 08:57:20 GMT

hi there

I'd like to request if you would mind asking your questions on the forum, as this will quite possibly help other novice users find their way around obstacles you are currently facing, think of the youngn's ! 😉

In regards to your NAT question, have you looked at this article: Getting Started: Network Address Translation (NAT) ?

this should be a good start to provide an answer to most of your NAT questions, feel free to ask any and all followup questions (preferably on the forum so other people may benefit)

also, there's this series of articles that could help you set up: Getting Started: The Series

Re: interface to interface connevtivity not working

TranceforLife — Thu, 06 Apr 2017 09:26:09 GMT

Hey Brian,

I think forum is a better way as @reaper has mentioned already. But just in case l also have sent a PM

Re: interface to interface connevtivity not working

bwfreas — Thu, 06 Apr 2017 10:17:42 GMT

hi all yes thank you i agree it would be best to keep here for future reference so will do that

Re: interface to interface connevtivity not working

TranceforLife — Thu, 06 Apr 2017 09:48:24 GMT

Palo has a Virtual Router concept:

https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/networking/configure-a-virtual-router.html

It has to be attached to the interface

Re: interface to interface connevtivity not working

bradk14 — Thu, 06 Apr 2017 09:54:31 GMT

you would configure the assigned virtual router to have a static entry of 0.0.0.0/0 and point it to the outside/untrust interface and assign the next hop

Re: interface to interface connevtivity not working

bwfreas — Thu, 06 Apr 2017 10:33:57 GMT

thank you on that i think ive found it