Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-04-2012 03:16 PM
Hello,
I'm trying to enable ping to an external address that is not assigned to an interface? Is this possible? This address is used for NAT'ing purposes or to access an internal server.
I've done the following but I'm still not able to ping the address/server:
1. allow application ping from internet to my external ip.
Am I missing anything?
Thanks
06-05-2012 12:57 AM
If you have setup DNAT then enabling ping towards the (in your case) server should be the same way as when you enable other types of traffic.
If you want a physical interface of your PA box to reply to ping you need to setup a management profile where you only select "ping" and then attach this profile to that particular physical interface. Im not sure if you need a security rule aswell or not.
06-05-2012 12:57 AM
If you have setup DNAT then enabling ping towards the (in your case) server should be the same way as when you enable other types of traffic.
If you want a physical interface of your PA box to reply to ping you need to setup a management profile where you only select "ping" and then attach this profile to that particular physical interface. Im not sure if you need a security rule aswell or not.
06-05-2012 11:34 AM
To add to mikand, this traffic needs intra-zone security rule typically Untrust-to-Untrust which is permitted by the firewall by default,unless we have a any-any deny-all rule configured.
Interface will proxy-arp for all the addresses lying in it's subnet.So adding an interface-management profile allowing ping service should take care of things .
Please refer :https://live.paloaltonetworks.com/docs/DOC-2998#cf
06-05-2012 11:38 AM
Thanks guys. Let me try these out and get back to you with results.
Appreciate the help!
06-06-2012 07:52 AM
Thanks guys, it seems like it is working. Thank you for that. The only concern that I have is I'd have to have a NAT rule that has the service any for this to work. How do I further restrict this so that only ping is allowed on the NAT rule? Is this possible?
NAT Rule looks like this:
Source [Untrust IP]
Destination [Untrust IP]
Service [Any]
Translated Address: [Internal Server IP]
Security Rule looks like this:
Source [Untrust IP]
Destination [Untrust IP]
Application [ping]
Action [Allow]
06-06-2012 08:39 AM
Security Rule ::
Source Zone [Untrust IP]
Destination Zone [Trust]
Source IP [any]
Destination IP [Untrust IP - Original destination Ip/Non_translated IP]
Application [ping]
Action [Allow]
N.B:Please make sure this specific rule is above other generic rules with context -Source Zone[Trust] -Destination Zone [Trust].
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
