https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12723#M9336 <HTML><HEAD></HEAD><BODY><P>Hello Satish,</P><P></P><P>Do you have a "default deny" policy on this firewall, it may block interface management traffic <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>intra zone traffic). </P><P></P><P><STRONG>For an example:</STRONG> If you have enabled <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.3333339691162px;">management profile (ping<SPAN class="GINGER_SOFTWARE_mark">,</SPAN>ssh<SPAN class="GINGER_SOFTWARE_mark">,</SPAN><SPAN class="GINGER_SOFTWARE_mark">https</SPAN><SPAN class="GINGER_SOFTWARE_mark"> )</SPAN> on ethernet-1/1 interface <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>Trust zone) and you are trying to access the firewall from your Trust network, then you have to configure a "Trust to Trust" security policy on this firewall <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>if you have a any-any-deny rule at the bottom). </SPAN></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 19 Nov 2014 08:00:05 GMT HULK 2014-11-19T08:00:05Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12722#M9335 <HTML><HEAD></HEAD><BODY><P>Hi Friends,</P><P>please suggest, i have create a management profile (ping,ssh,https ) and apply e1/1 (static ip) but i am not able to ping and web access.</P><P>Regards Satish</P></BODY></HTML> Wed, 19 Nov 2014 07:44:06 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12722#M9335 Satish 2014-11-19T07:44:06Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12723#M9336 <HTML><HEAD></HEAD><BODY><P>Hello Satish,</P><P></P><P>Do you have a "default deny" policy on this firewall, it may block interface management traffic <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>intra zone traffic). </P><P></P><P><STRONG>For an example:</STRONG> If you have enabled <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.3333339691162px;">management profile (ping<SPAN class="GINGER_SOFTWARE_mark">,</SPAN>ssh<SPAN class="GINGER_SOFTWARE_mark">,</SPAN><SPAN class="GINGER_SOFTWARE_mark">https</SPAN><SPAN class="GINGER_SOFTWARE_mark"> )</SPAN> on ethernet-1/1 interface <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>Trust zone) and you are trying to access the firewall from your Trust network, then you have to configure a "Trust to Trust" security policy on this firewall <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>if you have a any-any-deny rule at the bottom). </SPAN></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 19 Nov 2014 08:00:05 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12723#M9336 HULK 2014-11-19T08:00:05Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12724#M9337 <HTML><HEAD></HEAD><BODY><P>Hi Hulk,</P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">I have already&nbsp; create a policy for the same like (trust to trust and wan to wan ) but facing same issue and also i am not getting any logs. please suggest.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Regards</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Satish<BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P></BODY></HTML> Wed, 19 Nov 2014 08:06:40 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12724#M9337 Satish 2014-11-19T08:06:40Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12725#M9338 <HTML><HEAD></HEAD><BODY><P>Hello Satish,</P><P></P><P>Do you have multiple VR or VSYS on your setup...?</P><P></P><P>Thanks</P></BODY></HTML> Wed, 19 Nov 2014 08:18:21 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12725#M9338 HULK 2014-11-19T08:18:21Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12726#M9339 <HTML><HEAD></HEAD><BODY><P>hi,</P><P>best way look if paloalto drops that or not (ping with -t and start doing)</P><P></P><P>go to cli</P><TABLE><TBODY><TR><TD></TD></TR></TBODY></TABLE><P></P><P>debug dataplane packet-diag set filter match source SOURCEIP destination INTERFACEIP</P><P>debug dataplane packet-diag set filter match source INTERFACEIP destination SOURCEIP</P><P>debug dataplane packet-diag set filter on</P><P></P><P>show counter global filter packet-filter yes delta yes severity drop</P><P></P><P>output will show information</P></BODY></HTML> Wed, 19 Nov 2014 08:21:32 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12726#M9339 Retired Member 2014-11-19T08:21:32Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12727#M9340 <HTML><HEAD></HEAD><BODY><P>Hello Satish,</P><P></P><P>Do you have any NAT policy configured for the same interface IP address..?</P><P></P><P>Thanks</P></BODY></HTML> Wed, 19 Nov 2014 08:22:24 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12727#M9340 HULK 2014-11-19T08:22:24Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12728#M9341 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/docs/DOC-3367">Unable to Connect to or Ping a Firewall Interface</A></P><P><A href="https://live.paloaltonetworks.com/message/16155">mgmt</A></P><P></P><P>Thanks</P></BODY></HTML> Wed, 19 Nov 2014 08:23:33 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12728#M9341 HULK 2014-11-19T08:23:33Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12729#M9342 <HTML><HEAD></HEAD><BODY><P>Hi Hulk, No, i dont have multiple VR. Regards Satish</P></BODY></HTML> Wed, 19 Nov 2014 09:12:04 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12729#M9342 Satish 2014-11-19T09:12:04Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12730#M9343 <HTML><HEAD></HEAD><BODY><P>Hi Hulk,</P><P>yes i have NET policy for the same interface.</P><P>Regards</P><P>Satish</P></BODY></HTML> Wed, 19 Nov 2014 09:18:13 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12730#M9343 Satish 2014-11-19T09:18:13Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12731#M9344 <HTML><HEAD></HEAD><BODY><P>if you have a NAT rule with source zone any this can be the issue</P></BODY></HTML> Wed, 19 Nov 2014 09:19:28 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12731#M9344 Retired Member 2014-11-19T09:19:28Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12732#M9345 <HTML><HEAD></HEAD><BODY><P>Hi PANOS,</P><P></P><P>You are right after disable NAT rule. i am able to ping and SSH, HTTPS.</P><P></P><P></P><P>Regards</P><P>Satish</P></BODY></HTML> Wed, 19 Nov 2014 09:44:44 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12732#M9345 Satish 2014-11-19T09:44:44Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12733#M9346 <HTML><HEAD></HEAD><BODY><P>please suggest to me best practice for the same.</P></BODY></HTML> Wed, 19 Nov 2014 09:45:35 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12733#M9346 Satish 2014-11-19T09:45:35Z https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12734#M9347 <HTML><HEAD></HEAD><BODY><P>When using NAT rules do not use any,</P><P>instead use the real zone names related.</P><P>What is the rule disabled ? can you share </P></BODY></HTML> Wed, 19 Nov 2014 09:56:56 GMT https://live.paloaltonetworks.com/t5/general-topics/management-profile-issue/m-p/12734#M9347 Retired Member 2014-11-19T09:56:56Z