- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-02-2021 10:07 AM
Hello Bro,
In our network we used to be in the same vlan of our employees endpoint and we used to use the command ping -a x.x.x.x
to resolve the name of the pinged IP.
after we have moved our PCs "admins" to a different zone, now we can't use this command anymore, the ping is working but the paramenter -a is not getting any names.
knowing that we have a full access to the dns still.
I belive this is firewall matter and as I read ping -a uses some layer 2 staff.
things are not clear, so how to have ping -a getting the names with the command output again?
TIA
11-02-2021 04:50 PM
This option works perfectly fine through security zones on my firewall without any issues. If this only started happening after you moved these machines into a new security zone, try enabling logging on your interzone-default to ensure your capturing denied traffic and see if anything is getting blocked due to not being included in your rulebase.
11-02-2021 09:52 PM
Thank you @BPry so much for the reply.
We are not blocked from anything from our new zone, and the monitor logs says nothing denied.
I will double check but if you tell me how ping-a works that may help me resolving it.
Any ideas appreciated.
11-02-2021 11:54 PM
@aortiz name resolution working via dns no problem after and before zones separation, this is for dns.
But after changing to the new zone ping -a x.x.x.x Not working "was working before Changing zone".
11-03-2021 04:46 PM
If it worked via DNS and your DNS traffic is not being blocked, then it should still work. I suspect the name resolution was working via Netbios which uses broadcast destination address and most likely not being forwarded across. You can test ping -a from new zone to verify it still works on same broadcast domain and play with nslookups to test DNS.
11-03-2021 05:39 PM
Hi, 1. can you check interface setting and its zone protection configuration. It may be possible ping is blocked on interface level.
2. can you check output of tracert and check where it gets dropped . It will give you idea about the hop which comes in between source and destination. You can check all devices if you are sure that PA configuration is fine.
2. Is ping not working for specific subnet or whole network
11-04-2021 06:38 AM
Offhand I don't know how ping -a functions in the background and whether it uses netbios or DNS for the name resolution. The only thing that I can tell you for sure is that I can do it successfully across security zones without any issues. This is the first time that I've actually even heard of ping -a, and it's not extremely useful personally, but it's perfectly functional across L3 security zones without any issue.
11-04-2021 08:10 AM - edited 11-04-2021 08:11 AM
Hi,
I hope any one tell me how this ping -a works.
is it working by querring the name "from the DNS" so I need to have access to the DNS which is already provided.
is it using the netbios name? how to enable this app in the security rules?
"by the way, just now I found the ping -a is working to other zone"
11-06-2021 01:49 PM
Hello Bro,
After using the packet capture, I have discovered that the commanf ping -a x.x.x.x uses the LLMNR "Linl-Layer Multicast name resolution", Kindly anyone correct me or tell me how to allow this kind of multicast app " abit risky app, but i need to POC it"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!