04-05-2017 09:52 AM
hello - apologies in advance but im a newbie on Palo Altos - come from working on Check Points and Junipers and am now here tasked to set up a palo alto. I've got my network working to where all the vlans hanging off of the PAN can ping it and it can ping them however anything from interface to interface (vlan to vlan) isnt working. I've got an any/any/any allow rule on the palo alto right now for the moment but am i missing a setting or a configuration item to make the PAN aware of the other networks? I didnt think i needed a route if everything was directly connected?
thanks in advance
04-05-2017 11:22 AM - edited 04-05-2017 11:26 AM
Heys,
l guess you got all your subinterfaces in the different zones. How do you have your security policies configured? Do you allow the traffic between the VLANs? Can you post a screen shot of the policies? And yes if all subinterfaces (networks) terminates on palo no need routing as it is directly connected networks:
04-05-2017 01:31 PM
hello! they are about 5 interfaces configured and yes all different zones. right now i just have 1 security rule installed for testing purposes that allows any source to any destination and any port accept.....so i didnt think i had a security policy issue? unless im not understanding the way to do PAFW policies exactly correct? i can post a screenshot but ive since left the office will have to do when i return.
so im not starting to think/wonder that its not a routing issue as i figured it wasnt but maybe i dont have the right rules in place?
04-05-2017 01:48 PM - edited 04-05-2017 01:51 PM
Ok if the FW is doing a routing for these VLANs (subinterfaces) we should see the session created by palo (we should see anyway even :0) and the traffic logs for these sessions. What pan-os are you on? Is it hardware or VM appliance? Just in case you can override the default policy to "allow" and log session in the start&end and initiate any traffic between the VLANs and then check the logs:
I am pretty sure answer is there
04-05-2017 04:01 PM
thank you for the help so far it is greatly appreciated! these are hadrware appliances 3020's in a cluster - i have to get the OS version tomorrow can you tell me what timezone you are in so I can have an idea how far apart we are?
can you tell me how to do a tcpdump on the PAFW?
also - the logs...for some reason i am not seeing any traffic logs appearing? it looks liek there were logs from several weeks ago but nothing since...so i was trying to determine if this traffic was reaching the PAFW first.
04-05-2017 04:10 PM - edited 04-05-2017 04:14 PM
Hi,
PCAP here. Check the GUI option as it is easier than using cli. UK GMT time zone. Ok, let's do a step back then. Fist attach a mgmt profile with "ping" option ticked to every subinterface and confirm you can reach all of them from the client side (from the every VLAN) and after we will go from there.
04-05-2017 10:58 PM
perfect - I am on UK as well at the moment
i can confirm i have a mgmt profile with ping enabled on each interface and i can ping a device on each interface from the PAFW itself but I cannot ping from one device on one interface to another device behind another interface
i will try the PCAP here this morning and will look at your other suggestion for the rule override.
04-06-2017 12:55 AM - edited 04-06-2017 02:36 AM
hello! good news i think i was able to resolve this particular issue - its a result of my lack of experience with palo alto rules - looks like i had an intrazone-default rule but i needed an interzone-default rule as well. once i created that i have connectivity across the interfaces.
thank you
04-06-2017 01:24 AM
i do also have a bit of a more serious question regarding the configuration of a NAT rule and how to do all that is involved with that
04-06-2017 01:57 AM
hi there
I'd like to request if you would mind asking your questions on the forum, as this will quite possibly help other novice users find their way around obstacles you are currently facing, think of the youngn's ! 😉
In regards to your NAT question, have you looked at this article: Getting Started: Network Address Translation (NAT) ?
this should be a good start to provide an answer to most of your NAT questions, feel free to ask any and all followup questions (preferably on the forum so other people may benefit)
also, there's this series of articles that could help you set up: Getting Started: The Series
04-06-2017 02:26 AM
Hey Brian,
I think forum is a better way as @reaper has mentioned already. But just in case l also have sent a PM
04-06-2017 02:42 AM - edited 04-06-2017 03:17 AM
hi all yes thank you i agree it would be best to keep here for future reference so will do that
04-06-2017 02:48 AM
Palo has a Virtual Router concept:
It has to be attached to the interface
04-06-2017 02:54 AM
you would configure the assigned virtual router to have a static entry of 0.0.0.0/0 and point it to the outside/untrust interface and assign the next hop
04-06-2017 03:29 AM - edited 04-06-2017 03:33 AM
thank you on that i think ive found it
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
