Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-15-2019 12:28 AM - edited 01-15-2019 12:56 AM
After click "Check Now" in "Dynamic Updates". Show the error popup as below link
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkuCAC
The above KB not apply to my case. As I not allow my management interface to reach internet.
So I go to customize "Service Route Configuration", and set the Source Address of Service - "Palo Alto Networks Services" and "URL Updates" to be the internet facing interface which assigned a public IP address. Still now work. Although I'm not sure these 2 services is for Dynamic Updates or not.
SSH to CLI. I ping source interface public IP to host www.google.com. Result is unknown host. If change to ping the IP of www.google.com. Result is 100% lost. But webUI Traffic logs show ping allow.
That's weird since all internal users go to internet through that interface without problem. But ping source from it result in all packet lost.
Any possible reason cause this problem?
01-15-2019 05:55 AM
If you have your DNS set correctly in the services tab then try changing the service route to the same as your palo alto updates.
01-15-2019 05:45 AM
"unknown host" would suggest that your DNS is not working correctly for your services.
01-15-2019 05:55 AM
If you have your DNS set correctly in the services tab then try changing the service route to the same as your palo alto updates.
01-15-2019 05:57 AM
To confirm: the correct service route is "Palo Alto Updates"
01-16-2019 10:52 PM
Hello MickBall,
The PAN OS version is 8.0.7
Service Route has no "Palo Alto Updates".
01-16-2019 11:36 PM
Yes, sorry the description changed in v8.
anyhows... seems like dns is not working. What is your dns address in services.
try setting it to 8.8.8.8 and changedns service route to the same as your palo alto updates.
not sure but you may need a dns policy to allow this out.
01-17-2019 12:02 AM
I temporary change the service route config to "Use Management Interface for all". But still cannot ping outside.
The Management interface set as below:
IP Address: 192.168.123.123
Netmask: 255.255.255.0
Default Gateway: 192.168.123.254
Speed: auto-negotiate
MTU: 1500
Network Connectivity Services: HTTPS, Ping, SSH
Services set as below:
Primary DNS Server: 8.8.8.8
Secondary DNS Server: 8.8.4.4
Update Server: updates.paloaltonetworks.com
Security Policy set allow the source zone of management interface to destination zone internet facing interface
Monitor Traffic show source 192.168.123.123 to destination 8.8.8.8, application ping and dns are allow. Use the correct rule too.
01-17-2019 02:27 AM
i have the following settings and it works.
custom service routes
DNS = internet interface/ip address
Updates = internet interface/ip address
it works without any additional polices because the default intranet policy is applied.
01-17-2019 02:49 PM
Are you applying NAT to that traffic?
If the source 192.168.123.123 is not getting the public NAT address of your interface, you won't be able to get a reply. You can test if it's got a NAT match with the CLI test command:
> test nat-policy-match protocol 6 source 192.168.123.123 destination 8.8.8.8 destination-port 443
01-17-2019 06:58 PM
Manage to make it work. Require "DNS" and "Palo Alto Networks Services" set to use the outgoing interface. I didn't change "DNS" which was use "Use default" before.
Although I can successfully ping (contact) outside from the outgoing interface. I got another problem now. As my PA device has 2 outgoing interface (to 2 modem). The 1 which success is not my preference. The prefer 1 even cannot ping from outside non ping to outside. But I'm sure internal user can use it to access internet.
01-18-2019 02:26 AM
well done Jezza, perhaps you could mark this as resolved and then log a new post for your new issue.
please include VR details and default gateways as this will help with diagnostics....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
