Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-03-2019 01:42 PM
Quick write here. We currently use Pingdom to monitor external reachability to services and our remote office edge devices. In some scenarios such as new office deployments, we may need to utilize the WAN interface to setup the device. The problem here is the All-or-None approach of management profiles. We want only ping from pingdom's probes and http from our specified management nodes.
Since pings to any interface are considered 'management' there's no way to setup a security policy to allow the probes, so my next question is now whether or not this is even possible?
Thanks in advance.
04-04-2019 10:38 AM - edited 04-04-2019 10:39 AM
If it is not constant ping thenyou might miss it because ping sessions are cleared after 6 seconds.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRiCAK
04-04-2019 10:43 AM
Fair enough. This would be one ping every minute - I can't specify the exact second between each minute. I did refresh the sessions page every few seconds for a couple of minutes and still didn't see any pings.
04-04-2019 11:45 AM - edited 04-04-2019 11:55 AM
Alright, I figured it out. Feeling a little foolish here but essentially 3 of my 4 tabs were on the correct device in Panorama, the one that was not on the correct device had the IP I was setting up for rules, probes, etc.
Issue resolved, there was no foul play, just user error.
Still running into the same issue - why traffic is not hitting the security policy rule but instead hitting the inter/intra zone rules. I now see the traffic in the monitor, the dynamic list is populating the correct addresses, the destination address is correct but traffic flows are still aging out.
04-04-2019 12:23 PM
Fixed the rules, needed to set the security policy type to 'intrazone' and changed the application from 'icmp' to 'ping'.
Now traffic logs are hitting the rule, however still timing-out. I'm wondering if this is due to the management profile now allowing the IPs for ping.
04-04-2019 12:43 PM
By timing out you mean session end reason?
Well this is normal for udp and icmp protocols.
In case of TCP there is session setup and teardown procedure.
04-04-2019 02:11 PM - edited 04-05-2019 05:39 AM
That's true!
I did get this working, now it's just a matter of locking it down. I was able to allow ping outside via and intrazone rule, allowing ping in the management profile for the external interface, and removing the addresses in the management profile.
Here's a link to how it was solved, not exactly what I was trying to do but same solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
