I have a PA 500, running 4.0.5 and I have two zones that are 'special' : PCI and DMZ. Both are setup identically but only one works. Here is how it is:
Zones: Rest1 (Tunnel.1), DMZ (1/8), External (1/1, 1/7), Internal (1/1, tunnel, Tunnel.2), PCI (1/6) and WiFi (1/4). Both Trust and Untrust show up but only as Virtual-Wire, no zones or VS.
VR1: Has a static route for for DMZ of 172.16.60.0/24 to Int 1/8, no next hop (PCI is setup same except for 1/6 and 172.16.50.0/24)
PCI and DMZ are both setup with an Interface: 172.16.50.254 (PCI) on 1/6 and 172.16.60.254 (DMZ) on 1/8. These IP addresses are used as the GW in the TCP/IP setup.
Both interfaces HAD a switch connected to them and devices connected via the switch. The switch uses vLAN to seperate the zones. I have disconncted the switch on the DMZ port and directly connected a test machine to port 1/8.
There is a rule that allows Internal Zone to go EVERYWHERE.
There WERE rules that allowed the DMZ to EXTERNAL (worked) and the DMZ to Internal (did not work) and were COPIED form existing rules that that were, and are, working on the PCI zone. I have ripped these out and am working on replacing from scratch.
On the core switch, a route sends all unknown traffic to the Palo Alto 1/1. Normally the core switch has a connection to the relevant interface (1/6 for PCI and 1/8 for DMZ) and uses vLAN tagging.Since the interface is the def GW, I don't think core routing is an issue but listed nonetheless.
As setup, with no rules with the DMZ at all I can hit and RDP to the test box. The test box can be ocntrolled and pinged form INTERNAL but cannot ping nor get out from DMZ (as presently configured); when I had the rules in place I could ping 22.214.171.124 but not local devices (such as teh computer controling it by RDP).
I had taken all the DMZ rules and placed them at the top of the rules list but it made no difference.
Any ideas what oculd be the proble, or how to either fix or troubleshoot? I'm going to try building the rules again from scrtach and hope it was something malformed or fat-fingered. of course, that is what I did earlier today, anyway.
Any suggestions or help most welcome.
ok, more in depth explanation:
We have two ISPs. Both are in use, one primarily serves teh serves and the others the users.
We have two extrenal VPN addresses as well, once on each ISP.
My route pushes everything out ISP A.
My PBF sends everything but servers AND MY DESKTOP through ISP B. The PBF listed destination netwroks and then NEGATED them (so basically if its for those networks, do not route out, otehrwise, do so).
When I would ping from my desktop it would go through (I never tested from another desktop). It would ping back. It would not ping the servers. It would not ping the management vLAN.
When I finally did a tracert from my core switch, it went to the firewall interface and then to next hop on ISP B. Upon inspection, the negated addresses in the PBF did not have a DMZ subnet listed. So I created it, included it in the PBF and it started working.
I suppose the ISP would try and route it back in but rules owuldn;t let it as setup. I guess if they did up;d get a loop.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!