No ICMP hitting Palo Interface but ICMP is allowed

Showing results for 
Show  only  | Search instead for 
Did you mean: 

No ICMP hitting Palo Interface but ICMP is allowed

L1 Bithead

I have a greenfield Palo with a fresh ISP.

Have confirmed from the Palo I can source from my interface and ping outbound to anywhere in the world.

Interface mgmt has been set to allow ICMP, I've left the allowed IP's blank and also set my specific IP, neither allow ICMP traffic to the interface. 

The more frustrating thing is that nothing is hitting the interface at all so I can't get to GlobalProtect for VPN and this is holding up the cutover from legacy ASA's

Anyone have any thoughts other than call the ISP and upgrade firmware. Firmware is 10.2.0 now, ISP has been contacted and they say no issues. There is a /30 from the ISP and then a routed /28 over it. I'm using the /30 for GlobalProtect, this is the IP that can ping outbound. Nothing has been tested from the routed /28


Cyber Elite
Cyber Elite


Do you have a security policy to allow the ping to hit the interface? Also for the management interface, i would strongly advise that only specific IP's can get to it.



internet -> FW external IP (also a management interface).


This way you can get to the management interface of a remote PAN if you need to.


Hope that helps.

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!