10-25-2015 09:35 PM
Dear All,
I'm doing POC at customer who use Checkpoint as Internet Firewall. So i deploy Palo Alto behind Checkpoint firewall in vwire mode. After We configure and install policy everything running well and to minimize the risk we configure permit all any any in the bottom of security policy. At the end of the PoC we try to disable the Permit all rule, but traffic not passing throught. Is there is any port or application or something i need to allow from palo alto? or there is spesific port from checkpoint i need to allow?
My rule style is like this:
- permit spesific plus security profile
- permit General plus security profile
- permit any any
Topology: Router----Checkpoint----Paloalto-----Switch
10-28-2015 03:38 PM
Gabriel,
Rules are only needed in the zone direction for which the traffic is initiated at the tcp level. You do not need a matching reverse direction rule as the firewall is "stateful" and aware of the session traffic.
So web browsing (http/https) from trust to untrust only needs a permit rule from trust to untrust. You do not need an untrust to trust rule for this to work.
10-26-2015 12:02 AM
Hi,
What does the traffic log say? Do you see the sessions? Are they allowed or denied?
10-26-2015 01:25 AM
Hi Gabriel
if you switch the permit any rule to a block any rule, you should see what is being blocked exactly. This can help you pinpoint any service that may need to pass though.
Can you verify in the traffic logs that the source and destination zones are correct? A common issue with vwire configuration is that trust and untrust get switched by accidentally switching the cables. If you then disable the any rule traffic will start getting blocked as it is flowing in the "wrong" direction.
hope this helps
Tom
.png "Satish"){kind=avatar}
10-26-2015 04:46 AM
Hi Gabriel,
Please check all licenses are activated or not. if yes than check the your network configuration.
Regards
Satish
10-26-2015 03:58 PM
Check the logs for the original permit rule and you will see what traffic is hitting this even before you turn it off or to block.
10-28-2015 03:14 AM
Because when i disable permit any any rule.. there is no log about that. I will try to make deny any any rule before i disable permit any any rule so i can get the log about that. Once more i wanna ask, do i need to permit rule from untrust to trust for spesific application or port like http/web browsing or https/sll, or something like that?
10-28-2015 04:58 AM
You can override last default inter zone rule and enable logging traffic that matches that rule.
10-28-2015 03:38 PM
Gabriel,
Rules are only needed in the zone direction for which the traffic is initiated at the tcp level. You do not need a matching reverse direction rule as the firewall is "stateful" and aware of the session traffic.
So web browsing (http/https) from trust to untrust only needs a permit rule from trust to untrust. You do not need an untrust to trust rule for this to work.
03-13-2026 04:15 AM
I know this one is very old but the provided solution was not working for me. I experienced the issue that i've configured the virtual wire like described on documentation and traffic forwarding and DHCP was not working. In my environment I use ESXI 7.0 Update 3. Palo Alto VM 11.2.10h3 as edge FW and 12.1.5 as virtual wire. Client behind didn't get any IP and saw no ARPs. The problem was on the ESXI virtual switch. The solution was:
03-13-2026 06:19 AM
Hi @K.Kreilos ,
Thank for sharing this!
This is a perfect reminder for anyone running a lab or a virtual edge on 11.2 or 12.1.
Thanks again for taking the time to post the specific fix!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
