02-14-2021 09:43 PM - edited 03-23-2021 06:31 PM
02-15-2021 04:41 AM - edited 02-15-2021 04:43 AM
why do you want to have the palo connected like this? there is no added value to having the additional hop if traffic is not going to return symmetrically (no offence, but this is just bad design)
ideally you would connect cisco-switch-vlan-1 to a different interface of the palo (you could even set it in layer2 mode so you don't need to worry about the subnet broadcast domain) and be able to see packet flow in both directions
less ideally just force traffic from the switch to the firewall so it is able to form sessions and inspect traffic
even less ideally set up u-turn NAT so packets bounced off of the palo like this are source NATed to the firewall IP so returning packets come back to it's interface
anything but the bermuda triangle of tcp inspection©
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
