https://live.paloaltonetworks.com/t5/general-topics/get-incomplete-on-palo-alto-after-nat-on-checkpoint/m-p/6859#M5042 <HTML><HEAD></HEAD><BODY><P>Hi everyone.</P><P>I need some help.</P><P>I I encoutered a problem with incomplete session during configuring a simple (as I thought) roule.</P><P>I have host inside my network and I want to configure the access from the internet. My configuration is: the first firewall is CheckPoint andthe second is Palo Alto.</P><P>I made a static NAT on it and proper rules to access to this host. Then I configured rules on Palo Alto. I did a simple rule that gives a right to access to this host but on internal IP (because according to me host is transalated later - on CheckPoint) on proper services.</P><P>Unfortunately there is only a incomplete sessions on Panorama logs.</P><P>Besides that I did proper routing entires both Palo Alto and CheckPoint machines.</P><P>I don't know what do I should configure more.</P><P>There are positive logs on checkpoint dashboard but there is no more information in Panorama logs about this problem.</P><P></P><P>Does aanyone of us can help me?</P><P></P><P>Thanks a lot</P><P>By</P><P>Paul</P></BODY></HTML> Thu, 09 Dec 2010 21:05:09 GMT pawel_serwatko 2010-12-09T21:05:09Z https://live.paloaltonetworks.com/t5/general-topics/get-incomplete-on-palo-alto-after-nat-on-checkpoint/m-p/6859#M5042 <HTML><HEAD></HEAD><BODY><P>Hi everyone.</P><P>I need some help.</P><P>I I encoutered a problem with incomplete session during configuring a simple (as I thought) roule.</P><P>I have host inside my network and I want to configure the access from the internet. My configuration is: the first firewall is CheckPoint andthe second is Palo Alto.</P><P>I made a static NAT on it and proper rules to access to this host. Then I configured rules on Palo Alto. I did a simple rule that gives a right to access to this host but on internal IP (because according to me host is transalated later - on CheckPoint) on proper services.</P><P>Unfortunately there is only a incomplete sessions on Panorama logs.</P><P>Besides that I did proper routing entires both Palo Alto and CheckPoint machines.</P><P>I don't know what do I should configure more.</P><P>There are positive logs on checkpoint dashboard but there is no more information in Panorama logs about this problem.</P><P></P><P>Does aanyone of us can help me?</P><P></P><P>Thanks a lot</P><P>By</P><P>Paul</P></BODY></HTML> Thu, 09 Dec 2010 21:05:09 GMT https://live.paloaltonetworks.com/t5/general-topics/get-incomplete-on-palo-alto-after-nat-on-checkpoint/m-p/6859#M5042 pawel_serwatko 2010-12-09T21:05:09Z https://live.paloaltonetworks.com/t5/general-topics/get-incomplete-on-palo-alto-after-nat-on-checkpoint/m-p/6860#M5043 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>&nbsp;&nbsp; Try taking a look at the session trace on the incomplete session - that should give you some idea of how the packet is being seen by the PAN, what rules it's hitting, etc.</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; A few questions for you:</P><P></P><P>1) how is the PAN deployed (l2, l3, vwire)?&nbsp; </P><P>2) What does the policy on the PAN look like?</P></BODY></HTML> Fri, 10 Dec 2010 01:35:25 GMT https://live.paloaltonetworks.com/t5/general-topics/get-incomplete-on-palo-alto-after-nat-on-checkpoint/m-p/6860#M5043 drogers 2010-12-10T01:35:25Z https://live.paloaltonetworks.com/t5/general-topics/get-incomplete-on-palo-alto-after-nat-on-checkpoint/m-p/6861#M5044 <HTML><HEAD></HEAD><BODY><P>An incomplete session means either the 3-way TCP handshake never completed or if it did complete there were no further packets.&nbsp; This typically happens when the firewall only see's half of the traffic.&nbsp; This can be due to asymmetric routing or perhaps a firewall rule/acl downstream from the Palo Alto firewall.</P><P></P><P>If you check the details of the session you will probably see only 1 packet was recorded which would also indicate that the firewall is not seeing the return traffic for some reason. (or maybe the return traffic is coming back on a different interface in another zone?)</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Fri, 10 Dec 2010 06:43:39 GMT https://live.paloaltonetworks.com/t5/general-topics/get-incomplete-on-palo-alto-after-nat-on-checkpoint/m-p/6861#M5044 kbrazil 2010-12-10T06:43:39Z