https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342298#M85809 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/148784">@RamprakashRT</a>, thanks for this.</P><P>&nbsp;</P><P>I had actually just tried that before your post. I originally had a secondary IP address configured on the interface with a public IP address, but that didn't work. So, I scrapped that, and put the public IP address right on the interface. I can now ping, but tracert isn't working. Do I need to modify the NSG to allow all inbound internet traffic on the untrust interface?</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>Rich</P> Wed, 05 Aug 2020 20:33:21 GMT rbottiglieri 2020-08-05T20:33:21Z https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342098#M85777 <P>Just setup a new VM-100 device in Azure. SSL decryption and security policies are in place. My test client PC can browse the web, and all of the policies seem to work.</P><P>&nbsp;</P><P>However, I cannot ping or tracert to any public website (e.g., <A href="http://www.apple.com" target="_blank">www.apple.com</A>). The DNS resolution works, I see that the ping traffic is allowed in the monitor tab, and I disabled SSL decryption as a test, but it still didn't work.</P><P>&nbsp;</P><P>I'm sure that it's something simple, but anyone have any ideas?</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>Rich</P> Tue, 04 Aug 2020 22:04:15 GMT https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342098#M85777 rbottiglieri 2020-08-04T22:04:15Z https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342297#M85808 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/151211">@rbottiglieri</a>&nbsp;,</P><P>Please make sure you have a PublicIP assigned to your untrust interface . In Azure Ping and traceroute will not work if you didnnt have a public IP in the untrust interface. Please try and let me know,</P><P>&nbsp;</P><P>Thanks,</P><P>Ram</P> Wed, 05 Aug 2020 20:29:40 GMT https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342297#M85808 RamprakashRT 2020-08-05T20:29:40Z https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342298#M85809 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/148784">@RamprakashRT</a>, thanks for this.</P><P>&nbsp;</P><P>I had actually just tried that before your post. I originally had a secondary IP address configured on the interface with a public IP address, but that didn't work. So, I scrapped that, and put the public IP address right on the interface. I can now ping, but tracert isn't working. Do I need to modify the NSG to allow all inbound internet traffic on the untrust interface?</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>Rich</P> Wed, 05 Aug 2020 20:33:21 GMT https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342298#M85809 rbottiglieri 2020-08-05T20:33:21Z https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342301#M85810 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/151211">@rbottiglieri</a>&nbsp;</P><P>&nbsp;</P><P>I suspect the security policy in the firewall. Just to isolate , is it possible to create a plain firewall rule for the test machine by allowing all the traffic in the firewall.&nbsp; Also untrust interface outbound NSG 'allow all' and trust interface inbound NSG 'allow all'.</P><P>&nbsp;</P><P>Thanks,</P><P>Ram</P> Wed, 05 Aug 2020 20:48:06 GMT https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342301#M85810 RamprakashRT 2020-08-05T20:48:06Z https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342322#M85817 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/148784">@RamprakashRT</a>,</P><P>&nbsp;</P><P>I did some digging, and I think the issue is that Azure does not permit you to ping the default gateway in an Azure VNET. Check out this doc:</P><P>&nbsp;</P><P><A href="https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq" target="_blank">https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq</A></P><P>&nbsp;</P><P>Adding the public IP to the interface, I can now ping public internet addresses. However, traceroute does not work, and by the looks of things, it is not supposed to work.</P><P>&nbsp;</P><P>Thanks for the help.</P><P>&nbsp;</P><P>Rich</P> Wed, 05 Aug 2020 21:26:21 GMT https://live.paloaltonetworks.com/t5/general-topics/new-vm-100-deployment-cannot-ping-or-tracert-to-external/m-p/342322#M85817 rbottiglieri 2020-08-05T21:26:21Z