issues after deployed VM-PA under VMware

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

issues after deployed VM-PA under VMware

L3 Networker

Hello Community,

 

I'm creating a lab with vmware vsphere 5.5.

 

I deployed two firewall with the following network configuration in vmware.

 

The issue is from the firewall I can to ping to my untrust and trust interfaces. But when I doing ping to the linux pc the ping failed.

 

From the linux pc try to reseach to internet and the connection is failed.

 

In the vmware I set up the promiscuos mode is enable.

vmwareconfig.JPG

 

 

This is the PA config interfaces and policies.

 

 

PA interfaces.JPG

 

 

PApolicies.JPG

 

Please your help to continue with my lab.

 

best regards

Andres

 

Best Regards
8 REPLIES 8

L6 Presenter

Hi,

 

Usually, you will be able to ping your own (itself) interfaces. 

First thing configures a mgmt profile and attach to the interface so it will be easy to troubleshoot. See below hot to do it:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Allow-Ping-and-ICMP-on-Layer-3-In...

 Check the interface  mapping:

 

network adapter = BRIDGED. This is actually your management interface and you don't see it in the network TAB of the device

network adapter 2 = VMnet(X) This is actually your first interface = ethernet1/1

network adapter 3 = VMnet(X) This is actually your first interface = ethernet1/2

network adapter 4 = VMnet(X) This is actually your first interface = ethernet1/3

 

After this you know that Palo is going to reply for the ping. So the first step is to make sure Linux host can ping PA interface.

Check the arp table on the Linux machine to confirm you are on the same Layer 2 broadcast domain with Palo.

Check if the Palo can resolve DNS requests. 

 

Thx,

Myky

L3 Networker

You have to allow ping in a interface management profile. And assign it to your interfaces

 

Starting from pan-os 7.0  promiscuous mode is no longer required

see here:

https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/virtualization-features/su...

 

Hi, 

 

do you activated the setting: 

Use Hypervisor Assigned MAC Addresses (VM-Series firewalls only)
Select this option to have the VM-Series firewall use the MAC address that the hypervisor assigned, instead of generating a MAC address using the PAN-OS®custom schema.

Is under Device - Setup - Management

 

I had this problem also, but after i activated this setting everything works.

 

Frank

L3 Networker

thanks, today I will proceeding with this changes.

Best Regards

L3 Networker

Me again.

 

I can to ping the untrust zone or ethernet 1/2(192.168.120.21)  from the linux machine. but when I try to ping the trust zone (172.16.10.2) the linux console show the following message " Time to live exceded "

 

Change ip  the linux pc from 192.168.120.9 to 172.16.10.20 and try to ping the untrust zone  or trust zone and the result is failed.

 

And try to access to internet from the linux pc, and fail.

So I do not know if I'm missing some configuration in the firewall or in my vsphere. 

 

This is the config running

 

admin@fw01> show config running

config {
mgt-config {
users {
admin {
phash fnRL/G5lXVMug;
permissions {
role-based {
superuser yes;
}
}
}
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet {
ethernet1/1 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
172.16.10.2;
}
lldp {
enable no;
}
interface-management-profile "mgm profile";
}
comment trust;
}
ethernet1/2 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
192.168.120.21;
}
lldp {
enable no;
}
interface-management-profile "mgm profile";
}
comment untrust;
}
}
}
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
interface-management-profile {
"mgm profile" {
https yes;
ssh yes;
ping yes;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles {
default {
encryption [ aes-128-cbc 3des];
hash sha1;
dh-group group2;
lifetime {
hours 8;
}
}
Suite-B-GCM-128 {
encryption aes-128-cbc;
hash sha256;
dh-group group19;
lifetime {
hours 8;
}
}
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
default {
esp {
encryption [ aes-128-cbc 3des];
authentication sha1;
}
dh-group group2;
lifetime {
hours 1;
}
}
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
}
qos {
profile {
default {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
routing-options {
graceful-restart {
enable yes;
}
}
}
}
interface [ ethernet1/1 ethernet1/2];
ecmp {
algorithm {
ip-modulo;
}
}
routing-table {
ip {
static-route {
default-gateway {
nexthop {
ip-address 192.168.120.1;
}
bfd {
profile None;
}
interface ethernet1/2;
metric 10;
destination 0.0.0.0/0;
}
intranet {
nexthop {
ip-address 0.0.0.0;
}
bfd {
profile None;
}
interface ethernet1/2;
metric 10;
destination 192.168.120.0/24;
}
}
}
}
}
}
}
deviceconfig {
system {
ip-address 192.168.120.20;
netmask 255.255.255.0;
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone US/Pacific;
service {
disable-telnet yes;
disable-http yes;
}
hostname fw01;
default-gateway 192.168.120.1;
dns-setting {
servers {
primary 8.8.8.8;
secondary 200.91.75.5;
}
}
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
auto-mac-detect yes;
}
}
vsys {
vsys1 {
application;
application-group;
zone {
trust {
network {
layer3 ethernet1/1;
}
}
untrust {
network {
layer3 ethernet1/2;
}
}
}
service;
service-group;
schedule;
rulebase {
security {
rules {
"allow access to internet" {
to untrust;
from trust;
source any;
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
}
"allow access" {
to trust;
from untrust;
source any;
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
}
}
}
nat {
rules;
}
default-security-rules {
rules {
intrazone-default {
action allow;
log-start no;
log-end yes;
}
}
}
}
import {
network {
interface [ ethernet1/1 ethernet1/2];
}
}
}
}
}
}
}

admin@fw01>

Best Regards

L3 Networker

 

I can to ping the google.com and updates.paloaltonetworks.com

 

ping.JPG

Best Regards

Hi,

 

Changing ip on the linux box from one subnet to another will not help as you need to remap you VM interface to one that connects to the Palo. Are you free now ? Can you email to mlskrypka@gmail.com

Hello

 

My email is apadillav21@gmail.com

Best Regards
  • 5091 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!