I am brand new to Palo Altos and firewalls in general, so I'm sure I have made a couple obvious mistakes, but hope to learn. I have inherited a PA-220 that is now needed to be put in place between us and other connections (no internet). I have followed multiple tutorials, manuals, etc. to try and get this setup to work. The plan is to get the zones connecting and routing correctly, then tighten up security so only the approved things go through. Here's the proposed layout.
Right now, I'm just trying to get the two test PCs on the 192.0 zone and the 10.50 zone to ping. I'll add in the 192.168 zone later when I get the first two working.
Here's what I know:
1) The security policies are fine. I have tested them on a virtual wire version of the setup (with the two test PCs on one subnet) and the only thing I've changed is making the zones layer 3.
2) The test PCs can ping their interfaces, but no further. (e.g. 188.8.131.52 can ping 184.108.40.206 but NOT 10.50.75.100 or 75.90).
3) When using the console port, I can ping the interfaces from each other, but not any further out. (e.g. 220.127.116.11 can ping 10.50.75.100 but NOT 10.50.75.90).
4.) Also with console port, the interface can ping it's connected pc (e.g. 18.104.22.168 can ping 22.214.171.124).
5.) Traffic gets logged in the monitor for the pinging from the console port, but not from the PCs.
It is almost as if the ping request goes to the interface and gets lost.
Ethernet1/5 - Layer 3, Management Profile allows Ping, IP Addy 126.96.36.199/24, VR default, tag untagged, vlan none, security zone 192
Ethernet1/6 - Layer 3, Management Profile allows Ping, IP Addy 10.50.75.100/24, VR default, tag untagged, vlan none, security zone 10
192 - Layer 3, Interface ethernet1/5
10 - Layer 3, Interface 1/5
To10 - Universal, Source Zone 192, Destination Zone 10, Source any, application default, action Allow
Back4Test - Universal, Source Zone 10, Destination Zone 192, Source any, application default, action Allow
Virtual Router - default
Interfaces - ethernet1/5 and ethernet1/6
Default, destination 0.0.0.0/0, Interface ethernet1/6, Next Hop IP Address: 10.50.75.90, Admin default, metric 10, route table unicast.
I have tried static routes for the destination subnets and have even put a switch on the 10.50 side to test if the next hop NEEDED to be a device that could complete the routing. I've also tried none for the next hop when I had just the computer there.
I am hoping that I am just missing something tiny and simple, but I have no ideas at this point. Please help me fix this so I can stop going insane. Thanks in advance.
Solved! Go to Solution.
So first make sure your policies are set to log at session end so they will show up in the traffic logs. If you want to be able to ping the interfaces, you'll need to setup an interface management profile that allows Ping. Also a security policy that allows Ping.
Next check the Virtual router and make sure the routes are sending the traffic out the correct interfaces. Just because they are configured on the interfaces, doesnt mean the firewall will automatically route them.
Hope that helps.
Anytime traffic crosses a Zone, you will need a security policy.
Hello @OtakarKlier and thanks for the quick reply!
To answer your comments:
1) In the actions section of the security policy, I have them both set to log at the start and the end (overkill, but being as frazzled by this as I have been, I didn't want to leave anything to chance).
2) I neglected to put that in my config, but yes, both interfaces have the ping enabled for the management profile.
3) Can you please expound upon the sending traffic out the correct interfaces? I set a default (0.0.0.0/0) static route egress interface set to the correct interface (ethernet1/6 as that's where the 10.50 net is plugged). I have also tried doing the same with two static routes that specifically specify the 192 subnet (interface ethernet1/5) and the 10.50 subnet (interface ethernet1/6). Is there more I need to do in that regard?
Also, quick update for all,
I've been experimenting with bi-directional source NAT to see if that would help. It has not as of yet.
You wont need a nat it'll just complicate things for this setup. Do you have a route to the 192.0.0.0/?? network?
Interface: ethernet 1/5
next hop: none
Sounds like it might not know how to get back.
Thanks for the confirmation about the NAT. I got rid of it again.
The static route back to 192.0...
I've tried both ways actually. With a route back and without.
I just put in the route exactly as you specified, with no change.
One thing I am noticing, which is starting to raise some red flags for me, is when I look at the routing table, both static routes are listed as Static only. They are NOT active.
There ARE two routes that are listed as Active and Connect, and they are taking the same subnets with a next hop of .100...the interface addresses.
Edit for the following picture add
@Druke you shouldn't need any routes as each test PC is a part of the locally connected network (based on your diagram) and the FW will automatically route there with no need to identify anything else and further, the FW will permit the traffic if configured to do so via the policy which looks right...
Try removing all your static routes. You will need to go there at some point if you need to get to other networks thru another L3 device, but not for this.
Lastly, based on what you are saying (each PC can ping local/same subnet IP) I have to apologize in advance for a dumb question and no insult intended as I always start simple and work from there :), but does each PC have a default gateway configured to point to the local FW IP address?
TestPC1: IP 188.8.131.52/mask 255.255.255.0/gateway IP 184.108.40.206
TestPC2: IP 10.50.75.90/mask 255.255.255.0/gateway IP 10.50.75.100
@ddelcourt Thank you sir!
Don't worry, no offense is taken. You were correct, the dumb question was the right one to ask. The test PCs did not have the firewall interface as the default gateway. It's always the simple, stupid thing. I am kicking myself a little bit, but more than that, I'm happy it's fixed! Thanks again, all! Now to secure it!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!