10-08-2022 10:38 PM
Kali, Windows and RHEL installed in a lab behind Palos on a directly connected Vlan. Windows and RHEL have no issue communicating to internet or ping firewall interface. But for Kali, Palo captures show only receive and no transmit or even drop packets.
All 3 are getting IP from DHCP on Palo interface, and share common NAT/security policies, routes . I have even tried removing profiles from the policy.
Ping from Kali to firewall interface shows
Kali
RHEL
10-09-2022 10:33 AM
Everything was in order, On looking at the routes i found Kali IP assigned to a loopback interface on PA causing duplicate IP issue. On excluding it from DHCP assignment range in PA resolved it.
10-09-2022 08:12 AM
Hi @raji_toor
The packet captures you have shown - where are they taken from? tcpdump from the VMs or packet capture from the PAN FW?
This doesn't seems to be PAN FW specific so I would suggest you to start with the basics:
- Ping Kali VM from firewall - > ping source 192.168.99.1 host 192.168.99.5
- Check if firewall have ARP entry for Kali VM -> show arp <interface-to-kali>
- Repeat the same from Kali VM (it is good to run the ping before checking ARP to generate fresh ARP requests)
My assumption is that Kali VM is not setup properly and most probably either it is using vnic or using wrong VLAN so Kali VM is not actually connected in the same layer3 network as the PAN FW. Above steps are aming to confirm that - if you don't have ARP (incomplete) from FW to Kali or vice versa it seems you don't have layer2 connectivity.
FW operates at layer3, so even if it is blocking the traffic (security rule, zone protection, content inspection etc) you must at least see ARP entry for Kali VM.
If there is indeed ARP entry the best option to understand why traffic is being blocked is to use global conters with packet filter.
Following link describe how to collect this information - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS
In summary:
- Enable the filter
- Run twice "show counter global filter packet-filter yes delta yes" (before running any actual traffic to "clear" the delta )
- Run simple ping from Kali VM
- Check global counters again and see what is the output.
10-09-2022 10:33 AM
Everything was in order, On looking at the routes i found Kali IP assigned to a loopback interface on PA causing duplicate IP issue. On excluding it from DHCP assignment range in PA resolved it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
