https://live.paloaltonetworks.com/t5/general-topics/cannot-ping-server-but-monitor-sees-the-ping-traffic-as-allow/m-p/231585#M66495 <P>the source and destination subnet of your security policy do not match your source and destination zones</P> <P>&nbsp;</P> <P><SPAN>- policy allow&nbsp;source-address ZONE-ROUTER-A source-address 172.16.1.0/24&nbsp;&nbsp;destination-zone ZONE-ROUTER-B destination-address 192.168.1.100 with any apps and services,&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>router A hosts 192.168.1.0/24 and router B hosts 172.16.1.100</SPAN></P> <P>&nbsp;</P> <P>to be able to ping 192.168.1.100 from 10.10.20.2 you will need additional security policy (from zone-router-B to zone-router-A)</P> <P>to be able to ping 172.16.1.100 from 10.10.10.1 you will need additonal policy/expand the existing policy as the source subnet is not accounted for in your existing policy</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 20 Sep 2018 08:27:27 GMT reaper 2018-09-20T08:27:27Z https://live.paloaltonetworks.com/t5/general-topics/cannot-ping-server-but-monitor-sees-the-ping-traffic-as-allow/m-p/231322#M66415 <P>My Palo Alto PA200 e1/1 (10.10.10.1/30) is connected to router A and e1/2 (10.10.20.2/30) is connected to router B.</P><P>The server 192.168.1.100/24 is behind router A (10.10.10.2)&nbsp;which has a static router to destination 172.16.1.0/24 with next hop 10.10.10.1.</P><P>The user 172.16.1.100/24 is behind router B&nbsp;(10.10.20.1) which has a static router to destination 192.168.1.0/24 with next hop 10.10.20.2.</P><P>&nbsp;</P><P>On my PA, I have static routes and policy below:</P><P>- destination 172.16.1.0/24 next hop 10.10.20.1 (Router B) via interface e1/2</P><P><SPAN>- destination 192.168.1.0/24 next hop 10.10.10.2 (Router A) via interface e1/1</SPAN></P><P><SPAN>- policy allow&nbsp;source-address ZONE-ROUTER-A source-address 172.16.1.0/24&nbsp;&nbsp;destination-zone ZONE-ROUTER-B destination-address 192.168.1.100 with any apps and services,&nbsp;</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>It looks like I have a routing between the 2 subnets from my PA FW.</P><P>My FW can ping 192.168.1.100 sourcing 10.10.10.1 and 172.16.1.100 sourcing 10.10.20.2.</P><P>But I cannot ping&nbsp;<SPAN>192.168.1.100 sourcing 10.10.20.2 and 172.16.1.100 sourcing 10.10.10.1. The strange thing is I can see the pings going through from the MONITOR on my PA200 when 172.16.1.100 tries to ping 192.168.1.100. But the ping from the user says failed.</SPAN></P><P>&nbsp;</P><P><SPAN>Any inputs will be greatly appreciated. Thx</SPAN></P><P>&nbsp;</P><P><SPAN>Am I missing a policy?&nbsp;</SPAN></P> Tue, 18 Sep 2018 21:08:55 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-ping-server-but-monitor-sees-the-ping-traffic-as-allow/m-p/231322#M66415 jac101 2018-09-18T21:08:55Z https://live.paloaltonetworks.com/t5/general-topics/cannot-ping-server-but-monitor-sees-the-ping-traffic-as-allow/m-p/231585#M66495 <P>the source and destination subnet of your security policy do not match your source and destination zones</P> <P>&nbsp;</P> <P><SPAN>- policy allow&nbsp;source-address ZONE-ROUTER-A source-address 172.16.1.0/24&nbsp;&nbsp;destination-zone ZONE-ROUTER-B destination-address 192.168.1.100 with any apps and services,&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>router A hosts 192.168.1.0/24 and router B hosts 172.16.1.100</SPAN></P> <P>&nbsp;</P> <P>to be able to ping 192.168.1.100 from 10.10.20.2 you will need additional security policy (from zone-router-B to zone-router-A)</P> <P>to be able to ping 172.16.1.100 from 10.10.10.1 you will need additonal policy/expand the existing policy as the source subnet is not accounted for in your existing policy</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 20 Sep 2018 08:27:27 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-ping-server-but-monitor-sees-the-ping-traffic-as-allow/m-p/231585#M66495 reaper 2018-09-20T08:27:27Z