I am trying to get my firewall on the network for the first time.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

I am trying to get my firewall on the network for the first time.

L1 Bithead

So far I cant ping the firewall from the network and I can't ping the gateway or any pcs from the firewall.  I have checked the arp table and I don't see any mac addresses there, so now I am starting to get concerned about the viability of this firewall.  However my experience with paloalto firewalls started with this device.  However my networking experience did not.  I am running on 6.01.  So obviously I would like to update the firewall so I can work with a more current version of PANOS.  Finding documentation for 6.01 has not been very fruitful.  


Cyber Elite
Cyber Elite

Hello.  I am thinking that I would like you to ONLY have the PC connected to the management interface of the FW and nothing else.  You shouldnt be able to see other traffic, because the cat5 cable will act as a "network", connecting your PC and the FW together.  Then console into the FW (via console/usb) and try to ping outbound from the FW.  If you do not see any pings from the FW, when only the PC and the FW are connected (again, not to switch/hub, etc), but directly connected, then you may have a bum mgmt interface on the FW.  


I am making presumptions that the FW was factory defaulted, and you manually typed the config in, via the console cable, because you could not access the mgmt port directly. 


There is also the other question/concern about licensing.  It is great to have a FW to test/learn with.. but an unlicensed FW will NOT pass traffic (or very limited sessions, like 5 or less, if even that)...


Let me know how you progress.

Help the community: Like helpful comments and mark solutions

L1 Bithead

I connected just the pc into the firewall and i tried several different ports, and I had no luck pinging out of the firewall or pinging the firewall from the pc.  The counters on the mgt interface also are not going up, and wireshark saw no icmp trafic or any other traffic that wasn't generated by the pc itself.  I have never seen a bad logical interface, but my experience is limited to Cisco and Bay Networks.  Is there a way around this problem.  

Hello there.  the ONLY interface that will even come close to passing traffic is the mgmt port.  If you connected to the mgmt port and you see zero packets, no counters (which counters did you look at?  Did you try "show counter interface management"




Again, if no traffic on the wireshark, counters are not moving, then I am not sure how you are convinced this is something we can get around.  The FW appears to not transmit packets. You mentioned logical interface, why not physical interface (mgmt only).. you should plug into the mgmt port and at least see DNS attempts (if you configured DNS), or NTP (if you configured ntp) So, unless you doing something wrong, and are not properly communicating how things are connected up, then NO, i do not think there is anything more to do.  

Help the community: Like helpful comments and mark solutions

L1 Bithead

Just noticed this

9914 packets transmitted, 0 received, +7854 errors

Seen it when I ended the pinging that I had left on. 


Pretty sure that those were the counters that I had looked at earlier


admin@PA-3020> show counter interface management

Interface: Management Interface

Logical interface counters:
bytes received 0
bytes transmitted 0
packets received 0
packets transmitted 0
receive errors 0
transmit errors 0
receive packets dropped 0
transmit packets dropped 0
multicast packets received 0

I didn't setup one of the ethernet ports cause I am still learning this CLI.  I tried to setup ethernet port 1/1.  I got this when I tried to commit. 


Validation Error:
zone -> untrust -> network -> virtual-wire 'ethernet1/1' is not a valid referenc
zone -> untrust -> network -> virtual-wire is invalid
This operation invalidates configuration for devices -> localhost.localdomain ->
vsys -> vsys1 -> zone -> untrust
network -> interface -> ethernet is invalid

L1 Bithead

Ok I am now on the network.  when I attempted to do a

admin@PA-3020> request system software check

I got this from the firewall

Server error : An active license is required for this feature

I'm guessing that this is a major road block. 


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!