Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-30-2013 06:05 AM
We recently purchase pa3020s for mainly application control reason and put them behind cisco ASAs. I set up trust-to -untrust policy which applies to outbound internet traffic. I denied unwanted apps and allowed rest using user group mapping. that is all working fine and users can access internet with no problem..
well, last week, I tried to do the same to default untrust-to-trust policy to the Inbound traffic. I created a policy that allowed the DMZ and remote VPN traffic coming through the ASA and I changed the default untrust -to-trust policy from allow to deny. The result was internet access stopped. No one could access Internet and I had to back the change out.
My thinking was that this a state full firewall and for any outbound traffic, the return traffic should pass through if it matches a established session. is this not right with PA firewall? do they do statefull inspection or not?
thank you
06-30-2013 09:44 AM
Hi,
Palo Alto is statefull by default.Do you have 1 cisco ASA or 2 cisco ASAs on that topology.
Are they active passive or active active ?
You should examine the logs related to the clients so that you will see what happened during that config.
07-01-2013 07:18 AM
I have 2 ASA active/standby same as PAs. PAs are in vwire mode. let me try it again and I check logs closely or post them here.
Thank you all for the input.
07-02-2013 05:51 AM
I discovered what issue was. It was an error on my part on how I configured the policy. thank you all.
05-07-2015 03:51 AM
H Team,
is there any document available PA 3020 is statefull?
Pls share link to download.
05-07-2015 09:26 AM
NickySorot, As was stated before, All Palo Alto Networks firewalls are stateful by default.
If you require something specific, please let us know.
05-11-2015 06:07 AM
ok thanks. can you share document link to proof that this is statefull.
one more question: can we assign multiple segment on one interface.
ex: 192.168.1.0 to 192.168.1.32
192.168.1.33 to 192.168.1.64
05-11-2015 07:02 AM
NickySorot
The information that you are looking for can be found on this link,
https://www.paloaltonetworks.com/resources/learning-center/what-is-a-firewall.html
Amjad
05-11-2015 08:59 AM
Nicky, the link was posted about being stateful.
as far as the multiple segments. You can place as many IP addresses as you want to an interface.
It looks like you want a "range".. do you mind if I ask why you are wanting to do that? For what purpose? NAT?
05-11-2015 10:27 PM
i want to create multiple logical networks like a group of 30 hosts and wants to keep separate logically. like to allow access based on policy between these small subsets.
05-12-2015 06:53 AM
Nicky,
Thanks for the response, but I am confused why you would need so many IP's in the same range for something like that. It seems unnecessary. I would like to think that you just need to restrict access based upon the IP, and you can do that through a Network Range/subnet.
05-18-2015 05:36 AM
Hi,
what is the delivery timeline of replacement of faulty firewall in case of premium support. our one firewall is down last 2-3 days.
05-18-2015 01:59 PM
If you have Premium support, and need to replace a unit, you need to contact the TAC, and report it.
Usually the replacement units are shipped out the next day, and they should arrive 2 days after reported. This sometimes can be quicker, but this is what the official answer is.
Example, Lets say you call Monday, report an issue that needs an RMA, The replacement unit is shipped on Tuesday to arrive on Wednesday Morning Usually before 10:30 AM.
That is unless you have paid for 4 Hour Replacement. Which means 4 hours after the TAC Determines this to be an RMA, you get a replacement unit within 4 hours. But that is ONLY with a 4 hour agreement.
I hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
