How do I enable ping to a non-mgmt IP address?

Reply
Highlighted
L1 Bithead

How do I enable ping to a non-mgmt IP address?

Hello,

I'm trying to enable ping to an external address that is not assigned to an interface? Is this possible? This address is used for NAT'ing purposes or to access an internal server.


I've done the following but I'm still not able to ping the address/server:

1. allow application ping from internet to my external ip.

Am I missing anything?

Thanks


Accepted Solutions
Highlighted
L6 Presenter

If you have setup DNAT then enabling ping towards the (in your case) server should be the same way as when you enable other types of traffic.

If you want a physical interface of your PA box to reply to ping you need to setup a management profile where you only select "ping" and then attach this profile to that particular physical interface. Im not sure if you need a security rule aswell or not.

View solution in original post


All Replies
Highlighted
L6 Presenter

If you have setup DNAT then enabling ping towards the (in your case) server should be the same way as when you enable other types of traffic.

If you want a physical interface of your PA box to reply to ping you need to setup a management profile where you only select "ping" and then attach this profile to that particular physical interface. Im not sure if you need a security rule aswell or not.

View solution in original post

Highlighted
L5 Sessionator

To add to mikand, this traffic needs intra-zone security rule typically Untrust-to-Untrust which is permitted by the firewall by default,unless we have a any-any deny-all rule configured.

Interface will proxy-arp for all the addresses lying in it's subnet.So adding an interface-management profile allowing ping service should take care of things .

Please refer  :https://live.paloaltonetworks.com/docs/DOC-2998#cf

Highlighted
L1 Bithead

Thanks guys. Let me try these out and get back to you with results.

Appreciate the help!

Highlighted
L1 Bithead

Thanks guys, it seems like it is working. Thank you for that. The only concern that I have is I'd have to have a NAT rule that has the service any for this to work. How do I further restrict this so that only ping is allowed on the NAT rule? Is this possible?

NAT Rule looks like this:

Source [Untrust IP]

Destination [Untrust IP]

Service [Any]

Translated Address: [Internal Server IP]

Security Rule looks like this:

Source [Untrust IP]

Destination [Untrust IP]

Application [ping]

Action [Allow]

Highlighted
L5 Sessionator

Security Rule ::

Source Zone [Untrust IP]

Destination Zone [Trust]

Source IP [any]

Destination IP  [Untrust IP - Original destination Ip/Non_translated IP]

Application [ping]

Action [Allow]

N.B:Please make sure this specific rule is above other generic rules with context -Source Zone[Trust]  -Destination Zone [Trust].

Refer ::  https://live.paloaltonetworks.com/docs/DOC-1517

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!