https://live.paloaltonetworks.com/t5/general-topics/new-gp-deployment-dns-ping-and-tracert-work-but-no-app-traffic/m-p/257039#M72917 <P>I've set up a new GP config on a new PA-820 firewall. I have an old firewall I'm replacing, but I'm running them side by side. On the new 820 GP, I can connect with a GP client, and then ping internal servers. I can verify that DNS is working with nslookup using our internal DNS servers and all of the internal resources resolve and can be pinged just fine. I can also ping the GP client from any internal resource. So I believe routing is set up correctly. I can also get to the web just fine on the GP client.</P><P>&nbsp;</P><P>However, everything outside of DNS, ping, and traceroute to our internal servers just times out. The PA-820 log shows everything is allowed. I have any/any policies set up for GP to LAN and vice versa and the policies are placed at the top. Application traffic appears for the most part to be ID'd correctly; I can see DNS, ping, netbios-ns, ldap, smb, etc. all listed in the application column. However, everything is either "aged-out" (most) or "tcp-rst-from-client" (a few) for the session end reason.</P><P>&nbsp;</P><P>I can't for the life of me understand why I can ping both ways, but app traffic won't get through. There is no policy blocking it and routing seems to be set up.&nbsp;</P><P>&nbsp;</P><P>Any ideas of what to consider? I'm sure this is something dumb I'm missing.</P> Wed, 10 Apr 2019 18:18:30 GMT DigitalAffinity 2019-04-10T18:18:30Z https://live.paloaltonetworks.com/t5/general-topics/new-gp-deployment-dns-ping-and-tracert-work-but-no-app-traffic/m-p/257039#M72917 <P>I've set up a new GP config on a new PA-820 firewall. I have an old firewall I'm replacing, but I'm running them side by side. On the new 820 GP, I can connect with a GP client, and then ping internal servers. I can verify that DNS is working with nslookup using our internal DNS servers and all of the internal resources resolve and can be pinged just fine. I can also ping the GP client from any internal resource. So I believe routing is set up correctly. I can also get to the web just fine on the GP client.</P><P>&nbsp;</P><P>However, everything outside of DNS, ping, and traceroute to our internal servers just times out. The PA-820 log shows everything is allowed. I have any/any policies set up for GP to LAN and vice versa and the policies are placed at the top. Application traffic appears for the most part to be ID'd correctly; I can see DNS, ping, netbios-ns, ldap, smb, etc. all listed in the application column. However, everything is either "aged-out" (most) or "tcp-rst-from-client" (a few) for the session end reason.</P><P>&nbsp;</P><P>I can't for the life of me understand why I can ping both ways, but app traffic won't get through. There is no policy blocking it and routing seems to be set up.&nbsp;</P><P>&nbsp;</P><P>Any ideas of what to consider? I'm sure this is something dumb I'm missing.</P> Wed, 10 Apr 2019 18:18:30 GMT https://live.paloaltonetworks.com/t5/general-topics/new-gp-deployment-dns-ping-and-tracert-work-but-no-app-traffic/m-p/257039#M72917 DigitalAffinity 2019-04-10T18:18:30Z https://live.paloaltonetworks.com/t5/general-topics/new-gp-deployment-dns-ping-and-tracert-work-but-no-app-traffic/m-p/257082#M72930 <P>May be a silly question but did you add the GP zone to the outbound NAT/Security policies?</P> Wed, 10 Apr 2019 20:58:16 GMT https://live.paloaltonetworks.com/t5/general-topics/new-gp-deployment-dns-ping-and-tracert-work-but-no-app-traffic/m-p/257082#M72930 hshawn 2019-04-10T20:58:16Z https://live.paloaltonetworks.com/t5/general-topics/new-gp-deployment-dns-ping-and-tracert-work-but-no-app-traffic/m-p/257108#M72938 <P>I solved it. The firewall config was correct. I forgot to add the correct route to the core switch. It had to be something simple.</P> Wed, 10 Apr 2019 23:58:08 GMT https://live.paloaltonetworks.com/t5/general-topics/new-gp-deployment-dns-ping-and-tracert-work-but-no-app-traffic/m-p/257108#M72938 DigitalAffinity 2019-04-10T23:58:08Z