I have worked with many different types of firewalls, but this is my first time with the Palo Alto 5050. Currently I have a basic configuration, a single internet connection and a VR with a default route, properly addressed interface, policy that allows all traffic, zones, etc. Right now I just want to be able to ping out to the internet, the rest of the setup will be fairly straight forward as I have already began working on it. For some reason I can not make a connection to the internet, I can ping all my interface that I have setup internally but not the gateway. Right now I have been provided with an address such as (fake address), 188.8.131.52/29 (Interface address) and a gateway of 184.108.40.206. I have a VR with a default route of 0.0.0.0/0 to 220.127.116.11 the zone is untrusted and my policy is built to allow all traffic in both directions for the time being. What am I missing? I used this document, https://live.paloaltonetworks.com/docs/DOC-1195 which was helpful but still can not make a connection.
Solved! Go to Solution.
Can you confirm that you can ping next hop from outside interface?
admin@PA>ping source 18.104.22.168 host 22.214.171.124
Also, Just to confirm, did you set up NAT policy as the following:-
Source Zone:- Trust
Destination Zone:- Untrust
Source Address:- Any
Destination Address:- any
Source Translation: Dynamic IP and Port, , Untrust Interface, 126.96.36.199/29
I can ping the next hop from that address. I didn't have my NAT setup, so I did that but still cannot ping out.
It loos like this:
Source Zone: trust
Destination Zone: untrust
Destination Interface: any
Source Address: any
Destination Address: any
Source Translation: dynamic-ip-and-port, ethernet1/1, 188.8.131.52/29
Can you ping the next hop from the internal interface?
Is the DNS configured on the firewall , under Device > Setup > Management > Services > DNS settings
Do you mean, you are not able to ping the gateway from the management ip-address of the firewall?
Does the following ping fail?
>ping host 184.108.40.206
If that is the case, the management interface network might no be configured to have internet access.
Management interface does not take part in the routing through the firewall unless you configure a Service route configuration for specific services to use one of the datplane interfaces.
Device>Setup>Service>Service Route configuration
Also, make sure DNS is set up on the firewall.
Let me know if this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!