For details on cookie usage on our site, read our Privacy Policy
I am trying to get my firewall on the network for the first time.
- LIVEcommunity
- Discussions
- General Topics
- I am trying to get my firewall on the network for the first time.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
I am trying to get my firewall on the network for the first time.
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-27-2021 11:51 PM
So far I cant ping the firewall from the network and I can't ping the gateway or any pcs from the firewall. I have checked the arp table and I don't see any mac addresses there, so now I am starting to get concerned about the viability of this firewall. However my experience with paloalto firewalls started with this device. However my networking experience did not. I am running on 6.01. So obviously I would like to update the firewall so I can work with a more current version of PANOS. Finding documentation for 6.01 has not been very fruitful.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-12-2021 11:11 AM
Hello. I am thinking that I would like you to ONLY have the PC connected to the management interface of the FW and nothing else. You shouldnt be able to see other traffic, because the cat5 cable will act as a "network", connecting your PC and the FW together. Then console into the FW (via console/usb) and try to ping outbound from the FW. If you do not see any pings from the FW, when only the PC and the FW are connected (again, not to switch/hub, etc), but directly connected, then you may have a bum mgmt interface on the FW.
I am making presumptions that the FW was factory defaulted, and you manually typed the config in, via the console cable, because you could not access the mgmt port directly.
There is also the other question/concern about licensing. It is great to have a FW to test/learn with.. but an unlicensed FW will NOT pass traffic (or very limited sessions, like 5 or less, if even that)...
Let me know how you progress.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-12-2021 03:05 PM
I connected just the pc into the firewall and i tried several different ports, and I had no luck pinging out of the firewall or pinging the firewall from the pc. The counters on the mgt interface also are not going up, and wireshark saw no icmp trafic or any other traffic that wasn't generated by the pc itself. I have never seen a bad logical interface, but my experience is limited to Cisco and Bay Networks. Is there a way around this problem.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-12-2021 05:03 PM
Hello there. the ONLY interface that will even come close to passing traffic is the mgmt port. If you connected to the mgmt port and you see zero packets, no counters (which counters did you look at? Did you try "show counter interface management"
Again, if no traffic on the wireshark, counters are not moving, then I am not sure how you are convinced this is something we can get around. The FW appears to not transmit packets. You mentioned logical interface, why not physical interface (mgmt only).. you should plug into the mgmt port and at least see DNS attempts (if you configured DNS), or NTP (if you configured ntp) So, unless you doing something wrong, and are not properly communicating how things are connected up, then NO, i do not think there is anything more to do.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-12-2021 06:19 PM
Just noticed this
9914 packets transmitted, 0 received, +7854 errors
Seen it when I ended the pinging that I had left on.
Pretty sure that those were the counters that I had looked at earlier
admin@PA-3020> show counter interface management
Interface: Management Interface
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Logical interface counters:
-------------------------------------------------------------------------------
bytes received 0
bytes transmitted 0
packets received 0
packets transmitted 0
receive errors 0
transmit errors 0
receive packets dropped 0
transmit packets dropped 0
multicast packets received 0
I didn't setup one of the ethernet ports cause I am still learning this CLI. I tried to setup ethernet port 1/1. I got this when I tried to commit.
.
Validation Error:
zone -> untrust -> network -> virtual-wire 'ethernet1/1' is not a valid referenc
e
zone -> untrust -> network -> virtual-wire is invalid
This operation invalidates configuration for devices -> localhost.localdomain ->
vsys -> vsys1 -> zone -> untrust
network -> interface -> ethernet is invalid
[edit]
admin@PA-3020#
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-28-2021 11:31 PM
Ok I am now on the network. when I attempted to do a
admin@PA-3020> request system software check
I got this from the firewall
Server error : An active license is required for this feature
I'm guessing that this is a major road block.
- Device Certificate: can't replace old device cert by putting in newly generated OTP in General Topics
- unable to add new object address to existing object address group in General Topics
- IKE phase 1 not working in General Topics
- Syslog config on Different Port in Next-Generation Firewall Discussions
- Connect same VLAN to multiple V-SYS in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
