Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Pingdom & Management Profiles

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Pingdom & Management Profiles

L2 Linker

Quick write here.  We currently use Pingdom to monitor external reachability to services and our remote office edge devices.  In some scenarios such as new office deployments, we may need to utilize the WAN interface to setup the device.  The problem here is the All-or-None approach of management profiles.  We want only ping from pingdom's probes and http from our specified management nodes.

 

Since pings to any interface are considered 'management' there's no way to setup a security policy to allow the probes, so my next question is now whether or not this is even possible?

 

Thanks in advance.

20 REPLIES 20

If it is not constant ping thenyou might miss it because ping sessions are cleared after 6 seconds.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRiCAK

 

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Fair enough.  This would be one ping every minute - I can't specify the exact second between each minute.  I did refresh the sessions page every few seconds for a couple of minutes and still didn't see any pings.

Alright, I figured it out.  Feeling a little foolish here but essentially 3 of my 4 tabs were on the correct device in Panorama, the one that was not on the correct device had the IP I was setting up for rules, probes, etc.

 

Issue resolved, there was no foul play, just user error.

 

Still running into the same issue - why traffic is not hitting the security policy rule but instead hitting the inter/intra zone rules.  I now see the traffic in the monitor, the dynamic list is populating the correct addresses, the destination address is correct but traffic flows are still aging out.

Fixed the rules, needed to set the security policy type to 'intrazone' and changed the application from 'icmp' to 'ping'.

 

Now traffic logs are hitting the rule, however still timing-out.  I'm wondering if this is due to the management profile now allowing the IPs for ping.

By timing out you mean session end reason?

Well this is normal for udp and icmp protocols.

In case of TCP there is session setup and teardown procedure.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

That's true!

 

I did get this working, now it's just a matter of locking it down.  I was able to allow ping outside via and intrazone rule, allowing ping in the management profile for the external interface, and removing the addresses in the management profile.

 

Here's a link to how it was solved, not exactly what I was trying to do but same solution.

  • 9217 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!