https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10054#M7359 <HTML><HEAD></HEAD><BODY><P>Security Rule ::</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Source Zone [Untrust IP]</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Destination Zone [Trust]</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Source IP [any]</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Destination IP&nbsp; [Untrust IP - Original destination Ip/Non_translated IP]</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Application [ping]</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Action [Allow]</P><P></P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">N.B:Please make sure this specific rule is above other generic rules with context -Source Zone[Trust]&nbsp; -Destination Zone [Trust].</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Refer ::&nbsp; <A href="https://live.paloaltonetworks.com/docs/DOC-1517">https://live.paloaltonetworks.com/docs/DOC-1517</A></P></BODY></HTML> Wed, 06 Jun 2012 15:39:48 GMT UhMayYeah 2012-06-06T15:39:48Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10049#M7354 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I'm trying to enable ping to an external address that is not assigned to an interface? Is this possible? This address is used for NAT'ing purposes or to access an internal server.</P><P><BR />I've done the following but I'm still not able to ping the address/server:</P><P></P><P>1. allow application ping from internet to my external ip.</P><P></P><P>Am I missing anything?</P><P></P><P>Thanks</P></BODY></HTML> Mon, 04 Jun 2012 22:16:46 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10049#M7354 x 2012-06-04T22:16:46Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10050#M7355 <HTML><HEAD></HEAD><BODY><P>If you have setup DNAT then enabling ping towards the (in your case) server should be the same way as when you enable other types of traffic.</P><P></P><P>If you want a physical interface of your PA box to reply to ping you need to setup a management profile where you only select "ping" and then attach this profile to that particular physical interface. Im not sure if you need a security rule aswell or not.</P></BODY></HTML> Tue, 05 Jun 2012 07:57:02 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10050#M7355 mikand 2012-06-05T07:57:02Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10051#M7356 <HTML><HEAD></HEAD><BODY><P>To add to mikand, this traffic needs intra-zone security rule typically Untrust-to-Untrust which is permitted by the firewall by default,unless we have a any-any deny-all rule configured.</P><P>Interface will proxy-arp for all the addresses lying in it's subnet.So adding an interface-management profile allowing ping service should take care of things .</P><P>Please refer&nbsp; :<SPAN style="font-size:11.0pt;font-family:&amp;quot;Calibri&amp;quot;,&amp;quot;sans-serif&amp;quot;; mso-ascii-theme-font:minor-latin;mso-fareast-font-family:Calibri;mso-fareast-theme-font: minor-latin;mso-hansi-theme-font:minor-latin;mso-bidi-font-family:&amp;quot;Times New Roman&amp;quot;; mso-bidi-theme-font:minor-bidi;mso-ansi-language:EN-US;mso-fareast-language: EN-US;mso-bidi-language:AR-SA"><A href="https://live.paloaltonetworks.com/docs/DOC-2998#cf">https://live.paloaltonetworks.com/docs/DOC-2998#cf</A></SPAN></P></BODY></HTML> Tue, 05 Jun 2012 18:34:11 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10051#M7356 UhMayYeah 2012-06-05T18:34:11Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10052#M7357 <HTML><HEAD></HEAD><BODY><P>Thanks guys. Let me try these out and get back to you with results.</P><P></P><P>Appreciate the help!</P></BODY></HTML> Tue, 05 Jun 2012 18:38:19 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10052#M7357 x 2012-06-05T18:38:19Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10053#M7358 <HTML><HEAD></HEAD><BODY><P>Thanks guys, it seems like it is working. Thank you for that. The only concern that I have is I'd have to have a NAT rule that has the service any for this to work. How do I further restrict this so that only ping is allowed on the NAT rule? Is this possible?</P><P></P><P><STRONG>NAT Rule looks like this:</STRONG></P><P>Source [Untrust IP]</P><P>Destination [Untrust IP]</P><P><STRONG><EM>Service [Any]</EM></STRONG></P><P>Translated Address: [Internal Server IP]</P><P></P><P><STRONG>Security Rule looks like this:</STRONG></P><P>Source [Untrust IP]</P><P>Destination [Untrust IP]</P><P>Application [ping]</P><P>Action [Allow]</P></BODY></HTML> Wed, 06 Jun 2012 14:52:56 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10053#M7358 x 2012-06-06T14:52:56Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10054#M7359 <HTML><HEAD></HEAD><BODY><P>Security Rule ::</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Source Zone [Untrust IP]</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Destination Zone [Trust]</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Source IP [any]</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Destination IP&nbsp; [Untrust IP - Original destination Ip/Non_translated IP]</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Application [ping]</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Action [Allow]</P><P></P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">N.B:Please make sure this specific rule is above other generic rules with context -Source Zone[Trust]&nbsp; -Destination Zone [Trust].</P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#ffffff">Refer ::&nbsp; <A href="https://live.paloaltonetworks.com/docs/DOC-1517">https://live.paloaltonetworks.com/docs/DOC-1517</A></P></BODY></HTML> Wed, 06 Jun 2012 15:39:48 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-enable-ping-to-a-non-mgmt-ip-address/m-p/10054#M7359 UhMayYeah 2012-06-06T15:39:48Z