- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-11-2016 02:44 PM
I have been given a PA200 to setup at home to get myself familiar with Palo Alto firewalls. I have a cable modem and wireless router that will need to be connected to the PA200. I have followed the instructions on this article to get it setup:
My problem once I comptleted the setup is that I cannot browse out to the internet. What am I doing wrong or what am I missing? Any help would be appreciated.
Thanks,
Hector
08-12-2016 01:49 AM
Hi,
Double check you security policy, NAT configuration. Remember that you are doing double NAT so check carefully your NAT policy. What about your security logs? Is your traffic permitted or denied ?
Thx,
Myky
08-12-2016 07:26 AM - edited 08-12-2016 07:27 AM
Hi Hector
it may be a good idea to create a temporary 'any any' security policy with a drop action and logging enabled at the very end of the rulebase to make sure dropped sessions are logged to help visualize anything that may not be picked up by a policy
next, you'll want to take a look at your traffic logs
is anything being blocked by the rule you created, is there a lot/exclusively logs with 'incomplete' as the action? these would mean packets are going out but nothing is coming back
this could be due to a routing or a natting issue
if there are no logs, your internal hosts may be pointing to an incorrect gateway, the subnet on your interface may not correspond to you clients or may be in a different subnet altogether
please also take a look at these articles to help you get started: Getting Started: The Series
08-16-2016 06:37 PM
Sorry for replying so late. I have only on NAT setup and its the one specified on the instructions. I also created a temporary any any rule and moved it to the top to no avail. One other thing, the logs are not getting generated now so I cant see where the blocks are. How did i stop the logs from showing up?
Thanks,
Hector
08-16-2016 11:48 PM
Hi Hector,
Please check if you have a log enabled fro the security policy:
Generally, should be enabled on the "session end".
08-17-2016 05:44 AM
Thanks, I did check both secuirty policies and they are set to "Log at Session End". Also, I was thinking my routing could have been setup wrong. I have the following:
Cable modem: 192.168.100.1 - After I log in I see CM MODEM IP and its on a 10.x.x.x network
Wireless Router: 192.168.1.253
PA: 192.168.1.252
What should my routing be setup as?
-Hector
08-17-2016 06:26 AM
Are you running this plugged into your wireless router? Where is your default routing statement currently sending your traffic, are you trying to send it directly to your modem or your wireless router? Generally speaking you would replace your wireless router with your PA-200.
It may be a little more helpful if you send a screenshot of how you actually setup the routing on this device, I suspect at this point that routing is likely your issue.
08-17-2016 07:52 AM - edited 08-17-2016 07:53 AM
Hi,
So you have to have a static default route configured on your PA pointing to your router IP address. But as BPry said it is better to see a topology so will be much easier to help you.
Thx,
Myky
08-17-2016 06:46 PM
The setup instructions state to set up the route "pointing to the ISP's next hop". This is where i'm getting confused, am i supposed to send it to my wireless router, to the cable modem, or the hop after the cable modem?
Thanks,
Hector
08-17-2016 11:58 PM - edited 08-18-2016 06:42 AM
Hi Hector,
So if you are connected to the Internet "through" your wireless router (you got a cable going to the router) then static route should be pointing to the wireless router IP address. Your cable modem as l understood there just for signal converting, so you cannot manage it. Is it similar for this set-up:
Please could you confirm your wireless router IP address/network? Also email me here: mayk.08@mail.ru so I can send you few more helpful info.
Thx,
Myky
08-18-2016 06:24 AM
Your setup is rather odd and without looking over the total configuration I can't tell whats wrong, I can only take crack shots on the information you provide. I did notice that the current route for 192.168.1.0/24 is showing your next hop as 192.168.1.254, which I didn't see mentioned anywhere on your network setup. What does your interface configuration look like?
This might be a little faster to just dump the configuration, take out everything you don't want people to see, and upload the file. I feel like there may be multiple small configuration errors across the configuration that you are running into, that would take a while for the forum to pinpoint each individual issue with screenshots.
It might be worth throwing your wireless router out of the picture and setting up an "UnTrust" zone on your firewall along with a "Trust" zone, and setting your "UnTrust" interface as DHCP. Understanding that you will still need wireless put your Wireless Router behind the firewall and simply put it in AP mode. Running your firewall behind your wireless router isn't exactly the best setup anyways from a security perspective, as this would allow wireless users to completely bypass any security that you have setup on the firewall.
08-18-2016 03:10 PM - edited 08-18-2016 03:14 PM
Hi,
If your wireless router IP is 192.168.1.253 then you got you default route correct. Use Layer 3 mode for your interfaces configuration. Your PA interface has assigned ip 192.168.1.254/24. Put this interface to the "untrust" zone. Create another "trust"zone with different IP address range, assigned other interface to this zone, set up DHCP with. For DNS you can use your wifi router IP or Google dns. For the client in the "trust" zone DG is going to be your PA interface (trust zone IP). Configure NAT (PAT) pointing to your external PA IP address (192.168.1.254). Create security policy for traffic going from the "trust"> "untrust" zone. This will be enough for you get you familiar with Palo Alto, so you can test things but it is temporary set-up 🙂
Hope it helps.
Thx,
Myky
08-18-2016 08:10 PM - edited 08-18-2016 08:11 PM
Why would you point the default route to the wireless, that means your wi-fi won't go through the firewall.
In step 3 there are two if statements, you either do one or the other.
If you have a cablemodem then it is most likely serving DHCP. Just configure ethernet1/1 as DHCP client and accept whatever default route the cablemodem gives you, no need for manual input of static route.
And remember to restart the cablemodem so that it releases the association to the MAC address of your old device.
08-18-2016 11:22 PM - edited 08-18-2016 11:22 PM
Hi,
As l understand he cannot connect/attached Palo directly to the mode, that is why he has to go through the wireless route.
Sure you are correct if you can connect Palo directly to the modem.
p.S I could do it because my modem/router is Virgin Media and has specific interface:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!