Best guides for new Firewall Deployment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Best guides for new Firewall Deployment

L1 Bithead

I am deploying a new firewall for a PoC however I am having some issues. I have deployed and activated the server on Azure, I am using VM-Series. However despite on the Azure side there being no restrictions, there server is not able to connect to the internet for updates. 
I must be missing something basic in understand/setup so any pointers would be great.

5 REPLIES 5

Cyber Elite
Cyber Elite

is the server in the same vnet and subnet as the internal interface and how have you set the default gateway of the server? 

most commonly the internal interface of the palo will be dhcp client and the server behind has a default gateway to x.x.x.4

Set the palo external interface also to dhcp client and enable dynamic port/ip NAT and only assign the interface (don't set an IP)

 

 

see if that helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

The server is on the same virtual network as the internal interface but not the same subnet. The Internal interface has been configured with DHCP, however I have not done anything specific to define the gateway, where would this be done? 

Cyber Elite
Cyber Elite

@Nhussain,

What are you seeing in the traffic logs? Do you see the traffic coming in from the server in question? Do you see it properly your NAT statement? 

So Logs show traffic is allowed and the NAT is also being applied.

however after all that nothing worked, so I deployed another Palo ALto instance but this time it had a public IP on the management interface. it worked,

 

Added a public IP on the server I was working on and internet connectivity worked. My question is why? Azure does nat'ing for you, it should not need a public IP to get out to the internet? Does anyone know why? 

Cyber Elite
Cyber Elite

Hello,

Sounds like a routing/policy issues with the original PAN you deployed. I wouldnt recommend having the management interface internet facing unless you lock it down to source IP's. However you can change the services, so they use a different interface to reaching out and grabbing updates, etc.

If you're adventurous

https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint...

it blocks almost everything so be careful.

 

Regards,

  • 2221 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!