https://live.paloaltonetworks.com/t5/general-topics/ping-to-internet-from-2nd-interface-ip-is-not-working-quot/m-p/333956#M84291 <P>Yes. there is no ruleset...</P><P>&nbsp;</P><P>The interface 1/2 and 1/3 has a default route 0.0.0.0 /0 with different metric value to their respective ISP's next hope.</P><P>Interface 1/2 attached to the HE security zone and Interface 1/3 attached to the Untrust zone.</P><P>Default route of Interface 1/2 metric value 11 and Interface 1/3 metric value 5.</P><P>&nbsp;</P><P>but when interface 1/3 untrust zone reaches the internet with his own interface and interface 1/2 HE zone tries to reach internet it goes with untrust interface...</P><P>&nbsp;</P><P>so I am looking for anything y to do that it can reach the internet with his own interface...</P><P>&nbsp;</P> Wed, 17 Jun 2020 21:29:57 GMT Mohammed_Yasin 2020-06-17T21:29:57Z https://live.paloaltonetworks.com/t5/general-topics/ping-to-internet-from-2nd-interface-ip-is-not-working-quot/m-p/333803#M84257 <P><FONT face="arial,helvetica,sans-serif" size="3">I have 2 outside interfaces configured with the below IP’s.</FONT></P><P>&nbsp;</P><OL><LI><FONT face="arial,helvetica,sans-serif" size="3">When I try to ping 4.2.2.2 using source as 94.56.143.XX interface 1/1 , ping is successful ( Untrust Zone )&nbsp;</FONT></LI><LI><FONT face="arial,helvetica,sans-serif" size="3">But if I try ping to 4.2.2.2 &amp; using source as 94.56.202.XXX interface 1/2, ping is unsuccessful. ( HE Zone )</FONT></LI></OL><P><FONT face="arial,helvetica,sans-serif" size="3">When I try from HE zone , it should go through HE zone but it is going to untrust zone and getting deny</FONT></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="3">I mean</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="3">ISP 1 connected interface 1/3 with default route o.o.o.o of metric 5</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="3">ISP 2 Connected interface 1/2 with default route&nbsp;o.o.o.o metric 11</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="3">From ISP 1 interface 1/3 is pinging to 4.2.2.2 and we able to see the traffic log which allowed by intra-zone policy.</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="3">From ISP 2 interface 1/2 is not pinging to 4.2.2.2 and getting denied by Inter zone policy.</FONT></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="3">Its possible to ping from 1/2 interface itself toward Internet.</FONT></P> Wed, 17 Jun 2020 10:59:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-to-internet-from-2nd-interface-ip-is-not-working-quot/m-p/333803#M84257 Mohammed_Yasin 2020-06-17T10:59:36Z https://live.paloaltonetworks.com/t5/general-topics/ping-to-internet-from-2nd-interface-ip-is-not-working-quot/m-p/333951#M84287 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/131110">@Mohammed_Yasin</a>,</P><P>Sounds like you don't have a security rulebase entry that actually allows the traffic; you'll still need to allow the traffic.</P> Wed, 17 Jun 2020 21:15:52 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-to-internet-from-2nd-interface-ip-is-not-working-quot/m-p/333951#M84287 BPry 2020-06-17T21:15:52Z https://live.paloaltonetworks.com/t5/general-topics/ping-to-internet-from-2nd-interface-ip-is-not-working-quot/m-p/333956#M84291 <P>Yes. there is no ruleset...</P><P>&nbsp;</P><P>The interface 1/2 and 1/3 has a default route 0.0.0.0 /0 with different metric value to their respective ISP's next hope.</P><P>Interface 1/2 attached to the HE security zone and Interface 1/3 attached to the Untrust zone.</P><P>Default route of Interface 1/2 metric value 11 and Interface 1/3 metric value 5.</P><P>&nbsp;</P><P>but when interface 1/3 untrust zone reaches the internet with his own interface and interface 1/2 HE zone tries to reach internet it goes with untrust interface...</P><P>&nbsp;</P><P>so I am looking for anything y to do that it can reach the internet with his own interface...</P><P>&nbsp;</P> Wed, 17 Jun 2020 21:29:57 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-to-internet-from-2nd-interface-ip-is-not-working-quot/m-p/333956#M84291 Mohammed_Yasin 2020-06-17T21:29:57Z https://live.paloaltonetworks.com/t5/general-topics/ping-to-internet-from-2nd-interface-ip-is-not-working-quot/m-p/333967#M84294 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/131110">@Mohammed_Yasin</a>,</P><P>So some things to keep in mind:</P><P>&nbsp;</P><P>1) The firewall is routing your traffic as you've specified with your routes. ISP1 has the lowest metric and is always going to be selected unless you utilize path-monitoring on the route so the route can be removed from the RIB and FIB, which would make your secondary route take over. This is why you are seeing the traffic as you are, the traffic is going to utilize ISP1.</P><P>&nbsp;</P><P>2) IF you are using PBF to attempt to route some of the traffic through ISP2, traffic has to&nbsp;<STRONG>ingress&nbsp;</STRONG>a firewall interface to be evaluated for PBF. Traffic sourced directly from the firewall isn't going to hit any PBF you have configured. So while a PBF for traffic routing will work for clients behind the firewall, it won't work for anything terminating on the firewall itself or sourced from the firewall itself.&nbsp;</P> Wed, 17 Jun 2020 22:01:17 GMT https://live.paloaltonetworks.com/t5/general-topics/ping-to-internet-from-2nd-interface-ip-is-not-working-quot/m-p/333967#M84294 BPry 2020-06-17T22:01:17Z