Palo Alto connection Virtual wire drop User VPN anyconnect

sayyidi — Sun, 11 Oct 2020 14:49:07 GMT

Hi everyone,

I am facing an issue where I setup my PA-850 as a transparent mode (virtual wire) and set the policy as default to allow all the traffic. Connection of my PA-850 is in between router and core switch. I can see all the traffic is passthrough the PA-850 without any issue however, some of the user from other branch connect through Anyconnect VPN of their branch ASA firewall unable to reach to my internal server due to my PA-850. I try to filter in monitor tab and check the source or destination ip address of the branch ASA firewall and nothing is showing. Temporary solution is to set my router directly connect to the core switch (bypass PA-850) and then user that connect through Anyconnect VPN able to reach my internal server. any idea what is the reason for this ?

Re: Palo Alto connection Virtual wire drop User VPN anyconnect

reaper — Fri, 16 Oct 2020 14:37:48 GMT

if you set your policy as default, you will be silently (no log) dropping connections that are not being allowed

you can resolve that by setting a drop rule at the end of your policy that logs all denied vonnections, or override and edit the default rule to log-at-end

topic Re: Palo Alto connection Virtual wire drop User VPN anyconnect in General Topics

Palo Alto connection Virtual wire drop User VPN anyconnect

Re: Palo Alto connection Virtual wire drop User VPN anyconnect