Statefull or not statefull

Reply
L1 Bithead

Statefull or not statefull

We recently purchase pa3020s for mainly application control reason and put them behind cisco ASAs.   I set up trust-to -untrust policy which applies to outbound internet traffic. I denied unwanted apps and allowed rest using user group mapping.   that is all working fine and users can access internet with no problem..

well,  last week, I tried to do  the same to default untrust-to-trust policy to the Inbound traffic.  I created a policy that  allowed the DMZ and  remote VPN traffic coming through the ASA and I changed the default untrust -to-trust policy from allow to deny. The result was internet access stopped. No one could access Internet and I had to back the change out.

My thinking was that this a state full firewall and for any outbound traffic,  the return traffic should pass through if it matches a established session.    is this not right with PA firewall? do they do statefull inspection or not?

thank you

L6 Presenter

Re: Statefull or not statefull

Hi,

Palo Alto is statefull by default.Do you have 1 cisco ASA or 2 cisco ASAs on that topology.

Are they active passive or active active ?

You should examine the logs related to the clients so that you will see what happened during that config.

L5 Sessionator

Re: Statefull or not statefull

Are the PANFWs in Layer3 mode or in vwire mode?

Can you attach the sceenshot of the untrust to trust rule on the PANFW

Thanks and best regards,

Karthik RP

L1 Bithead

Re: Statefull or not statefull

I have 2 ASA active/standby same as PAs.  PAs are in vwire mode.  let me try it again and I check logs closely or post them here.

Thank you all for the input.

L1 Bithead

Re: Statefull or not statefull

I discovered what issue was. It was an error on my part on how I configured the policy. thank you all.

L2 Linker

Re: Statefull or not statefull

H Team,

is there any document available PA 3020 is statefull?

Pls share link to download.

Community Team Member

Re: Statefull or not statefull

NickySorot, As was stated before,  All Palo Alto Networks firewalls are stateful by default.

If you require something specific, please let us know.

Stay Secure,
Joe
End of line
L2 Linker

Re: Statefull or not statefull

ok thanks. can you share document link to proof that this is statefull.

one more question:  can we assign multiple segment on one interface.

ex: 192.168.1.0 to 192.168.1.32

192.168.1.33 to 192.168.1.64

L4 Transporter

Re: Statefull or not statefull

NickySorot

The information that you are looking for can be found on this link,

https://www.paloaltonetworks.com/resources/learning-center/what-is-a-firewall.html

Amjad

Community Team Member

Re: Statefull or not statefull

Nicky, the link was posted about being stateful.

as far as the multiple segments.  You can place as many IP addresses as you want to an interface.

It looks like you want a "range".. do you mind if I ask why you are wanting to do that? For what purpose? NAT?

Stay Secure,
Joe
End of line
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!