Get Incomplete on Palo Alto after NAT on CheckPoint

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Get Incomplete on Palo Alto after NAT on CheckPoint

Not applicable

Hi everyone.

I need some help.

I I encoutered a problem with incomplete session during configuring a simple (as I thought) roule.

I have host inside my network and I want to configure the access from the internet. My configuration is: the first firewall is CheckPoint andthe second is Palo Alto.

I made a static NAT on it and proper rules to access to this host. Then I configured rules on Palo Alto. I did a simple rule that gives a right to access to this host but on internal IP (because according to me host is transalated later - on CheckPoint) on proper services.

Unfortunately there is only a incomplete sessions on Panorama logs.

Besides that I did proper routing entires both Palo Alto and CheckPoint machines.

I don't know what do I should configure more.

There are positive logs on checkpoint dashboard but there is no more information in Panorama logs about this problem.

Does aanyone of us can help me?

Thanks a lot

By

Paul

2 REPLIES 2

L3 Networker

Hi,

   Try taking a look at the session trace on the incomplete session - that should give you some idea of how the packet is being seen by the PAN, what rules it's hitting, etc.

     A few questions for you:

1) how is the PAN deployed (l2, l3, vwire)? 

2) What does the policy on the PAN look like?

L4 Transporter

An incomplete session means either the 3-way TCP handshake never completed or if it did complete there were no further packets.  This typically happens when the firewall only see's half of the traffic.  This can be due to asymmetric routing or perhaps a firewall rule/acl downstream from the Palo Alto firewall.

If you check the details of the session you will probably see only 1 packet was recorded which would also indicate that the firewall is not seeing the return traffic for some reason. (or maybe the return traffic is coming back on a different interface in another zone?)

Cheers,

Kelly

  • 3223 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!