palo alto networks configuration

Showing results for 
Show  only  | Search instead for 
Did you mean: 

palo alto networks configuration

L2 Linker



I configured a PA-500 with routing mode in our company . I set the zone , the security rules , the nat rules . I allow all traffic from trust zone to untrust zone. But the problem there is no internet connection. We use a DNS server , that is in trust zone.

I add a security role from untrust zone to a trust zone (with addressof DNS server) but the problem always we don't hav the internet connection in the office  . I process all the steps of the administraion guide of PAN in my configuration but always i have the same issue!


Any one can help me pleaseto resolve this problem 


Cyber Elite
Cyber Elite



Here's a couple of things you can check to make sure everything is set up properly


from the CLI, check if you can see all relevant mac addresses:

> show arp all


verify if your routing is configured properly (you'll need a default gateway)

>show routing route


make sure all interfaces have been configured with the proper IP/subnet

>show interface all


make sure all hosts can be reached on the connected interface:

>ping source <trust_interface_IP> host <internal_client_IP>

>ping source <untrust_interface_IP> host <internet_router_IP>


see if you can reach the internet from the untrust interface:

>ping source <untrust_interface_IP> host


and lastly from the trust interface:

>ping source <trust_interface_IP> host


you can start a session from a host in the trust zone and then check the sessions being created

> show session all


it should look something like this:

ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
24795        ping           ACTIVE  FLOW  NS[512]/trust/1  ([512])
vsys1                                [33024]/untrust  ([33024])
24796        ping           ACTIVE  FLOW  NS[512]/trust/1  ([512])
vsys1                                [33280]/untrust  ([33280])

then verify a session's parameters

>show session id <id#>


Session           24795

        c2s flow:
                source: [trust]
                proto:       1
                sport:       512             dport:      33024
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source: [untrust]
                proto:       1
                sport:       33024           dport:      512
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                           : Mon Oct  5 09:38:48 2015
        timeout                              : 6 sec

Please note the difference between the c2s and s2c flows

You'll see that c2s has source ip, which is my internal IP, where the s2c flow has destination, which is my NAT address, this will show you if NAT is being applied properly


hope this helps you get started, please let us know if this helps



Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!