https://live.paloaltonetworks.com/t5/general-topics/icmp-reply-from-the-firewall-instead-of-endpoint-destination/m-p/231321#M66414 <P>Hello everybody,<BR /><BR /><BR />What could cause ping to respond from a different IP?<BR />When tested from source, the response message of the ping command is successful and it's coming from the PaloAlto firewall, not from the destination IP.<BR />Where and how can I verify on the PaloAlto if this is expected or not?<BR />What setup can cause such behavior on the PaloAlto?<BR />Need to mention that the destination is RPC server to which the source can't connect, even though there is sucessful ICMP reply from the PaloAlto firewall.&nbsp;<BR />Source and destinaiton are on different networks.<BR /><BR />Thanks!</P> Tue, 18 Sep 2018 21:12:23 GMT 000000 2018-09-18T21:12:23Z https://live.paloaltonetworks.com/t5/general-topics/icmp-reply-from-the-firewall-instead-of-endpoint-destination/m-p/231321#M66414 <P>Hello everybody,<BR /><BR /><BR />What could cause ping to respond from a different IP?<BR />When tested from source, the response message of the ping command is successful and it's coming from the PaloAlto firewall, not from the destination IP.<BR />Where and how can I verify on the PaloAlto if this is expected or not?<BR />What setup can cause such behavior on the PaloAlto?<BR />Need to mention that the destination is RPC server to which the source can't connect, even though there is sucessful ICMP reply from the PaloAlto firewall.&nbsp;<BR />Source and destinaiton are on different networks.<BR /><BR />Thanks!</P> Tue, 18 Sep 2018 21:12:23 GMT https://live.paloaltonetworks.com/t5/general-topics/icmp-reply-from-the-firewall-instead-of-endpoint-destination/m-p/231321#M66414 000000 2018-09-18T21:12:23Z https://live.paloaltonetworks.com/t5/general-topics/icmp-reply-from-the-firewall-instead-of-endpoint-destination/m-p/231586#M66496 <P>Incorrect implementation of NAT could cause the firewall to assume 'ownership' of IP addresses through proxy-arp</P> <P>This typically happens if the destination in a NAT policy is set to a subnet</P> Thu, 20 Sep 2018 08:30:39 GMT https://live.paloaltonetworks.com/t5/general-topics/icmp-reply-from-the-firewall-instead-of-endpoint-destination/m-p/231586#M66496 reaper 2018-09-20T08:30:39Z https://live.paloaltonetworks.com/t5/general-topics/icmp-reply-from-the-firewall-instead-of-endpoint-destination/m-p/231607#M66503 <P>Indeed, it was found that there is a NAT which causes the reply from the firewall.&nbsp;<BR /><SPAN>The traffic in question only returns through the firewall and hits NAT rule on it's way back.</SPAN><BR /><SPAN>However that traffic does not go through the firewall on it's way out.</SPAN><BR /><SPAN>ICMP is not affected by it, but any TCP will be dropped because breaks the 3-way handshake.</SPAN></P> Thu, 20 Sep 2018 11:32:43 GMT https://live.paloaltonetworks.com/t5/general-topics/icmp-reply-from-the-firewall-instead-of-endpoint-destination/m-p/231607#M66503 000000 2018-09-20T11:32:43Z