- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-03-2024 03:46 AM - edited 05-03-2024 03:50 AM
Hi everyone. I have a PA-220 firewall. It is currently connected via interface 1/8 to an internet connection that I will soon have to discontinue, and which I will call GW1 here.
At the same time I activated a new internet connection that I will call GW2, connected to interface 1/7 of the firewall.
I would like to understand, before disconnecting the GW1 from the 1/8 interface, whether I have correctly performed all the configurations for the GW2 connection.
Via CLI, with the command "ping source ip_gw2 host 8.8.8.8 this cannot reach it.
If instead I try to execute the command "ping source ip_gw1 host 8.8.8.8 this responds correctly. Could it be a problem as a rule? Or is the firewall not able to support two different internet connections at the same time? thanks
05-03-2024 09:16 AM
It can support multiple internet connections.
Do you have routing set up to use GW2?
Can you ping the next hop on GW2 sourced from 1/7? If you don't have a route to go to the next hop on GW2, then a ping to 8s sourced from there won't work.
05-03-2024 11:15 PM
I created a second virtual router and assigned the 1/7 GW2 interface to it. In the statitc routes tab I entered the public IP provided by the ISP.
05-05-2024 02:27 PM
I'm starting to think that the interface used for the second ISP is configured correctly despite the ping problems.
But I wonder...why does the command "ping source ip_gw2 host 8.8.8.8" get no response (neither lost packets nor successful packets) while the command "ping source ip_gw2 host www.google.com" gets responses instead?
05-05-2024 11:52 PM
I can also ping 8.8.4.4. While the ping towards 8.8.8.8 remains stationary:
05-06-2024 07:55 AM
That is odd. If you do a traceroute, does it even get to the first hop?
05-07-2024 08:22 AM
It's the same as ping, traceroute source x.x.x.x host 8.8.8.8
05-07-2024 09:19 AM
this is the result.
Please note that at the firewall I set 8.8.8.8 as the first DNS and 8.8.4.4 as the second DNS.
If I reverse it then I can ping 8.8.8.8 but no longer 8.8.4.4 🙂
05-07-2024 09:24 AM
Do you have the same results with the other ISP?
05-07-2024 12:20 PM
Hello,
What do the traffic logs show? Is icmp allowed out that interface? Is eth 1/7 in the proper zone?
Regards,
05-07-2024 01:30 PM
with the other ISP the traceroute and ping are OK:
05-07-2024 01:48 PM
1/7 is in an untrust zone, similar to 1/8.
I think icmp is allowed since in the security policies in the application tab I set "any"
05-07-2024 01:51 PM
Hello,
On the new ISP interface, put in a specific route to something on the internet that is not required by the general users, ie you can use googles dns ip 8.8.8.8 if the other networks dont rely on it. Since its a specific route, it will take precedence over the 0.0.0.0/0 path.
Regards,
05-07-2024 01:58 PM
guys I just discovered something...it seems that 1/8 is not able to ping the DNS set on the firewall (8.8.8.8 and 8.8.4.4 in fact). If I set only one DNS, for example 1.1.1.1, 1/8 magically starts to ping both 8.8.8.8 and 8.8.4.4. Obviously don't ping 1.1.1.1 anymore. Is this normal behavior?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!