12-05-2024 09:56 PM
Hello Everyone, I need a little assistance
I am new to Palo Altos...I have just received and trying to set up an PA-445...but I ran into the following issues:
- no incoming traffic hitting on anything (outbound traffic is OK: computers plugged into PA-445 on other ports can reach Internet)
- I would like inside computer 192.168.0.57 to have traffic routed to it.
I have attached a diagram of the network setup. Port eth1/1 is connected to the Internet (port on the ISP Switch/Modem), with a configuration of Layer3, Outside Zone, 10.1.10.25/32 IPv4
All other ports are configured as Layer2, with one vlan attached to all (called 'VLAN'). I made a zone called 'Inside', and vlan is part of it. This is also Layer3. vlan makes its subnet 192.168.0.1/24,
My Virtual Router has one router, and includes interfaces: eth1/1 + vlan
The routing table for Virtual Router is Dest: 0.0.0.0/0, hop is 10.1.10.1/32, on eth1/1
My Security Policy looks like this:
1. From Outside (any), to Inside (any) - allow (no hits)
2. From Inside (any) to Outside (any) - allow (works great!)
NAT policy:
1. From Inside to Outside (any any any any), Source Translation: dynamic IP - 10.1.10.252/32, Dest. Translation : None
2. From Outside to Outside (any any any any), Source Translation: None, Dest. Translation: Dynamic IP, 192.168.0.57/32
The computer 192.168.0.57 can access the Internet...but absolutely no traffic is making it in (the Security Policy has 0 hits).
Any advice what am I doing wrong ? I have attached diagram.
Thank you!
12-06-2024 04:01 AM - edited 12-06-2024 04:03 AM
Hi @NoRaindropsInTheSky ,
The cool thing about this document https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-configuration-examples... is that is has example security and NAT policy rules on the bottom. Follow those examples and your inbound traffic will work fine. Pay close attention to the zones used, the correct configuration may not be intuitive at first.
With regard to your traffic logs, traffic that does not match a security policy rule will hit the interzone-default rule. This rule does not log by default. You will need to highlight the rule, click the Override button on the bottom, configure logging, and commit your changes. Then you will see the dropped traffic in the logs.
Since you have a NGFW and a CSP (Customer Support Portal) account, you can also log into Beacon. https://beacon.paloaltonetworks.com. From there, search "firewall essentials". You will see the free 9.1 training. The PAN-OS is old, but the foundational configuration is the same. It is very good.
If you don't like the older audio/video type training, you can search for "next generation firewall". You will see training of the same name in the new interactive HTML format. Both free training have lots of good material.
If you have any question as to why, feel free to ask.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
