05-31-2018 08:45 AM
After I upgraded my palo alto fro 7.1.15 to 7.1.16 I had a report that a certain vlan can not longer access the internet. I have a back up of the config before the upgrade and one after the upgrade and so far I don't see any change in virtual routers that would have cause the PA to block the traffic. I know that is very little information but if anyone has any suggestions I would appreciate it
05-31-2018 11:04 AM
While it wouldn't be impossible to see an update cause an issue with the configuration that may cause an issue like this, it would be abnormal. Looking at your logs to you see the traffic trying to come across the firewall or can you not even see the traffic?
05-31-2018 11:06 AM
There is absolutely no traffic from that vlan showing on the firewall at all.
05-31-2018 11:08 AM
I'd try to take a PCAP and see if the firewall simply isn't reporting the traffic. Past that I don't think an update would be able to cause this sort of situation short of it somehow managing to 'disable' the port.
05-31-2018 11:13 AM
I ran a continuous ping to the gateway in the vlan while I ran pcaps with the filter of my pc IP and the gateway IP. The only thing I saw was "no response found"
06-01-2018 07:25 AM
With a maintenance update this would be the only time I've ever seen or heard about a static route being removed. That isn't to say that it isn't impossible; I've seen routing tables get messed up due to upgrading major versions, but that was years ago and was extremely uncommon then.
I would take a look at your configuration logs and see if another admin didn't clean something up that should have still been there. I wouldn't suspect that the update caused this.
06-01-2018 07:27 AM
I take backup of the config before upgrading and the route that was added to fix the issue did not exist prior to the upgrade
06-01-2018 07:37 AM
I would guess then that this really wasn't the reason it stopped working; the route was simply what kicked it back into knowing where to send the traffic.
06-01-2018 07:59 AM
My conclusion as well that something before or after the PA changed and the added route let it go where it needed too again
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
