- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-09-2010 01:05 PM
Hi everyone.
I need some help.
I I encoutered a problem with incomplete session during configuring a simple (as I thought) roule.
I have host inside my network and I want to configure the access from the internet. My configuration is: the first firewall is CheckPoint andthe second is Palo Alto.
I made a static NAT on it and proper rules to access to this host. Then I configured rules on Palo Alto. I did a simple rule that gives a right to access to this host but on internal IP (because according to me host is transalated later - on CheckPoint) on proper services.
Unfortunately there is only a incomplete sessions on Panorama logs.
Besides that I did proper routing entires both Palo Alto and CheckPoint machines.
I don't know what do I should configure more.
There are positive logs on checkpoint dashboard but there is no more information in Panorama logs about this problem.
Does aanyone of us can help me?
Thanks a lot
By
Paul
12-09-2010 05:35 PM
Hi,
Try taking a look at the session trace on the incomplete session - that should give you some idea of how the packet is being seen by the PAN, what rules it's hitting, etc.
A few questions for you:
1) how is the PAN deployed (l2, l3, vwire)?
2) What does the policy on the PAN look like?
12-09-2010 10:43 PM
An incomplete session means either the 3-way TCP handshake never completed or if it did complete there were no further packets. This typically happens when the firewall only see's half of the traffic. This can be due to asymmetric routing or perhaps a firewall rule/acl downstream from the Palo Alto firewall.
If you check the details of the session you will probably see only 1 packet was recorded which would also indicate that the firewall is not seeing the return traffic for some reason. (or maybe the return traffic is coming back on a different interface in another zone?)
Cheers,
Kelly
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!